Tuesday, June 23, 2015

Israeli Investment Home Exposes Client Data


Every now and then, we are required to provide our personal data to a big company. Sometimes, it is really required, like payment details for instance, in order to pay for the service, but usually, they need our data because they have to fill in a form. so they ask you what's your favorite color, what is your mother's maiden name or where you live.

Time passes, and some guy in the big company decides, that it is a good idea to connect this database to the Internet, or to copy it to the company's website, so the clients would feel like the company knows its clients personally and cares about them. 

So far - so good, but what happens when in the progress of modifying the website, people doing all the work don't think enough of the security consequences of their product? Sometimes, it can lead to user data expose. Our personal data. It can happen even in the United States Government: http://thehackernews.com/2015/06/china-data-theft.html


In other words you put your money in this place and hope that they handle it carefully. In order to see what's up with your money you need to log in. Let's see this:





Interesting: only one detail, the israeli Id number, and what happens next ?



Cool, my details without any authentication.
Can we do this for other people too ? 


Disclaimer 


This post describes how to collect user data. In some countries, this may be illegal, in addition, if you keep and or possess the collected data this would be illegal as well. 

I reported the security breach to the investment home, and created this Proof of Concept in order to make it clear that the breach must be fixed soon.

Preparation for the attack


So quick look at the Html\javascript: I did not find any reference to a NoBot, or reCaptcha, or other prevention. Moreover, I did not found and noticeable prevention cookie, like F5s ASM or Impervas SecureSphere. The only problem I can face is a rate limiting, which in theory can recognize that it is weird that one IP address creates so many requests to the single URL. If I was an attacker, I would probably used TOR or another anonymizing proxy, but since all I am doing is proving a point, I will just write a code that is slow enough that no one will care about


Attack

The "attack" does no harm to the servers nor to the data. I wrote a small script that will work in the following way:

  • Generate a number of 8 or 9 digits
  • Check if the number complies to the Israeli ID number standard https://github.com/eliuha/pyIsraeliId
  • Create a request to the Join.aspx on the server
  • Look for the user details in the response

Data


I ran the script for a while and I was able to collect the some personal data of the clients of  the investment home. The details are masked here in order to protect the people privacy 




Reporting

From my prior experience reporting a remote exploit to a big company is a tricky thing, not because they don't care about it, but because they don't understand the meaning of the vulnerability and the damage that they can cause to their client.

As a Financial company, the company must comply to some kind of regulation like the "Financial Bodies Data Protection Act "

http://www.this.co.il/getdoc/8d398da6-3929-484a-a41e-f14e164035a3/gufim-mosdiim.aspx



Update 1:   16/06/2015


I did not find any Security Operation Center that well help to alert the company, but, Israel is a small place, and it was relatively easy to find the CISO of the investment home. The guy sounded very responsible and promised that they will fix the vulnerability and update me when it happens.

Update 2: 21/06/2015

Nothing happened. The vulnerability still exists and the if my math is correct, using my inefficient rate, I would have collected about 10 000 records of customers personal data. I'll mail their internal supervisor, maybe they just forgot.

Turns out that Israeli Ministry of Finance has a list of internal supervisors, for the insurance companies:
http://mof.gov.il/hon/Information-entities/Received-public-entities/Pages/Consumer-Complaints-Officers-provident-funds.aspx



Update 3: 22/06/2015

They called me and told that the site was removed. 


Update 4: 19/08/2015


Now they have CAPTCHA that deserves it's own post. 

https://info.yl-invest.co.il/GIBWeb/Screens/shared/CaptchaImage.axd?guid=af4438ea-307e-4bfb-b06c-609dfdcb865a

I will have more writing to do tonight 



Sunday, March 1, 2015

GoPro update mechanism exposes multiple users Wi-Fi passwords




GO PRO USERS: Change your Wi-Fi passwords!

Like NOW!




One of the most awesome things that happened in the last couple of years is, without a doubt a GoPro cameras. Those little cameras are indestructible. They throw them from airplanes, send them to space crash in the cars and they keep working.


Password Reset

Recently, I took a GoPro from my friend and turns out that there is a mobile app that can control the camera. It requires a user to connect to the wireless network operated by the camera, and the app gives you the access to cool features like viewing the files on the camera's SD card and starting the recording. My problem was, that my friend did not remember the password for the camera, and therefore I decided to use the GoPro password reset the passwords

In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website http://gopro.com/support/articles/wi-fi-name-password. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera.

When I opened the archive it revealed a file named “settings.in” which contained the desired settings for the camera.




















The Link

Let’s look at the link:
http://cbcdn2.gp-static.com/uploads/firmware-bundles/firmware_bundle/8605145/UPDATE.zip

Notice that there is a number in the link, which acts like a token to tell one file from another,I marked it in bold. All you need to do, to access someone else’s Wi-Fi settings is to change this number. I tried changing this number to +/- 1 and got other people's files. 

Proof of Concept

To make sure that the attack is possible, I wrote a small python script, that runs on a range of the urls, extracts the settings from the response and puts them into a csv file.
There was no complications, nor noticeable shape limiting for downloading those zip file so I was able to create a list of 1000 Wi-Fi names and passwords, including my own.



The attack

I decided not to attack the users. It takes time driving around snowboarders and divers, looking fro a Wi-Fi networks of the GoPro cameras. Another reason is ethics of course: we are dealing with personal data, and some people may be insulted.

Theoretically, though, it should be a simple code to write. All you need is to check for each network that is near you against the list from the GoPro website, and if it is there, get all of the files.


Conclusion

GoPro made a very cool product. Lots of people love it and use it every day, so GoPro should protect our data and settings. 

As a quick mitigation I would consider replacing the number in the URL with a GUID or some other type of random value to make it harder to guess the links.

It is crucial to delete this kind of data from the server after the user downloads it or just delete them after an hour or two. 

Unfortunately, I could not reach the GoPro people in order to alert them about the issue, hopefully US-CERT will find a way to do that



Update

US-CERT was able to quickly locate the GoPro Security Engineers. Thank them for that.


Update 2 

4/03/2015: seems that the problem have been fixed.