Tuesday, June 23, 2015

Israeli Investment Home Exposes Client Data

Every now and then, we are required to provide our personal data to a big company. Sometimes, it is really required, like payment details for instance, in order to pay for the service, but usually, they need our data because they have to fill in a form. so they ask you what's your favorite color, what is your mother's maiden name or where you live.

Time passes, and some guy in the big company decides, that it is a good idea to connect this database to the Internet, or to copy it to the company's website, so the clients would feel like the company knows its clients personally and cares about them. 

So far - so good, but what happens when in the progress of modifying the website, people doing all the work don't think enough of the security consequences of their product? Sometimes, it can lead to user data expose. Our personal data. It can happen even in the United States Government: http://thehackernews.com/2015/06/china-data-theft.html

In other words you put your money in this place and hope that they handle it carefully. In order to see what's up with your money you need to log in. Let's see this:

Interesting: only one detail, the israeli Id number, and what happens next ?

Cool, my details without any authentication.
Can we do this for other people too ? 


This post describes how to collect user data. In some countries, this may be illegal, in addition, if you keep and or possess the collected data this would be illegal as well. 

I reported the security breach to the investment home, and created this Proof of Concept in order to make it clear that the breach must be fixed soon.

Preparation for the attack

So quick look at the Html\javascript: I did not find any reference to a NoBot, or reCaptcha, or other prevention. Moreover, I did not found and noticeable prevention cookie, like F5s ASM or Impervas SecureSphere. The only problem I can face is a rate limiting, which in theory can recognize that it is weird that one IP address creates so many requests to the single URL. If I was an attacker, I would probably used TOR or another anonymizing proxy, but since all I am doing is proving a point, I will just write a code that is slow enough that no one will care about


The "attack" does no harm to the servers nor to the data. I wrote a small script that will work in the following way:

  • Generate a number of 8 or 9 digits
  • Check if the number complies to the Israeli ID number standard https://github.com/eliuha/pyIsraeliId
  • Create a request to the Join.aspx on the server
  • Look for the user details in the response


I ran the script for a while and I was able to collect the some personal data of the clients of  the investment home. The details are masked here in order to protect the people privacy 


From my prior experience reporting a remote exploit to a big company is a tricky thing, not because they don't care about it, but because they don't understand the meaning of the vulnerability and the damage that they can cause to their client.

As a Financial company, the company must comply to some kind of regulation like the "Financial Bodies Data Protection Act "


Update 1:   16/06/2015

I did not find any Security Operation Center that well help to alert the company, but, Israel is a small place, and it was relatively easy to find the CISO of the investment home. The guy sounded very responsible and promised that they will fix the vulnerability and update me when it happens.

Update 2: 21/06/2015

Nothing happened. The vulnerability still exists and the if my math is correct, using my inefficient rate, I would have collected about 10 000 records of customers personal data. I'll mail their internal supervisor, maybe they just forgot.

Turns out that Israeli Ministry of Finance has a list of internal supervisors, for the insurance companies:

Update 3: 22/06/2015

They called me and told that the site was removed. 

Update 4: 19/08/2015

Now they have CAPTCHA that deserves it's own post. 


I will have more writing to do tonight 

Sunday, March 1, 2015

GoPro update mechanism exposes multiple users Wi-Fi passwords

GO PRO USERS: Change your Wi-Fi passwords!

Like NOW!

One of the most awesome things that happened in the last couple of years is, without a doubt a GoPro cameras. Those little cameras are indestructible. They throw them from airplanes, send them to space crash in the cars and they keep working.

Password Reset

Recently, I took a GoPro from my friend and turns out that there is a mobile app that can control the camera. It requires a user to connect to the wireless network operated by the camera, and the app gives you the access to cool features like viewing the files on the camera's SD card and starting the recording. My problem was, that my friend did not remember the password for the camera, and therefore I decided to use the GoPro password reset the passwords

In order to reset your Wi-Fi settings you need to follow the directions on the GoPro website http://gopro.com/support/articles/wi-fi-name-password. It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera.

When I opened the archive it revealed a file named “settings.in” which contained the desired settings for the camera.

The Link

Let’s look at the link:

Notice that there is a number in the link, which acts like a token to tell one file from another,I marked it in bold. All you need to do, to access someone else’s Wi-Fi settings is to change this number. I tried changing this number to +/- 1 and got other people's files. 

Proof of Concept

To make sure that the attack is possible, I wrote a small python script, that runs on a range of the urls, extracts the settings from the response and puts them into a csv file.
There was no complications, nor noticeable shape limiting for downloading those zip file so I was able to create a list of 1000 Wi-Fi names and passwords, including my own.

The attack

I decided not to attack the users. It takes time driving around snowboarders and divers, looking fro a Wi-Fi networks of the GoPro cameras. Another reason is ethics of course: we are dealing with personal data, and some people may be insulted.

Theoretically, though, it should be a simple code to write. All you need is to check for each network that is near you against the list from the GoPro website, and if it is there, get all of the files.


GoPro made a very cool product. Lots of people love it and use it every day, so GoPro should protect our data and settings. 

As a quick mitigation I would consider replacing the number in the URL with a GUID or some other type of random value to make it harder to guess the links.

It is crucial to delete this kind of data from the server after the user downloads it or just delete them after an hour or two. 

Unfortunately, I could not reach the GoPro people in order to alert them about the issue, hopefully US-CERT will find a way to do that


US-CERT was able to quickly locate the GoPro Security Engineers. Thank them for that.

Update 2 

4/03/2015: seems that the problem have been fixed. 

Tuesday, December 16, 2014

Microsoft Outlook 2013 paste HTML mechanism reveals the clipboard contents

We all use Outlook. If I need to guess, Outlook is the most popular mail client in the world. It has been discovered reticently, that Outlook 2013 has a way to expose the contents in the user's clipboard

From time to time we copy really sensitive stuff like SSN, Passwords, Credit Card Numbers , Bank account numbers
Sometimes, it is even personal secrets which tend to be much more sensitive than the information above.

Attacker,who has an access to the victim's display, may lure the user to paste HTML into new email using Microsoft Outlook 2013 which may lead to the clipboard contents exposure of sensitive information as shown in the attached video.

Tested on Outlook Enterprize 2013 64 bit fully patched
Outlook used HTML mode
Outlook.exe : 15.0.4667.100  Created ‎15 ‎October ‎2014, ‏‎00:27:50

Browser versions:
Chrome 39.0.2171.95 m
Firefox 33.1.1
Opera 26.0

I have sent the report to Microsoft's Security Response Center, and got a very quick response:

Thanks for contacting the Microsoft Security Response Center (MSRC).

As this attack relies on social engineering, Microsoft does not consider it to be a Security Vulnerability. We have investigated your report and concluded that we do not consider it to be a security vulnerability.  That decision is final, and we consider this report to be closed.


Thursday, December 27, 2012

Some Songs About Appscan

Well, first of all, about Appscan

Appscan is big platform by IBM, and what I want to talk about in particular are:

  • Appscan Standard
  • Appscan Enterprise
  • Appscan Source 
Those products deal with the security assurance 
Appscan Standard is actually the real Appscan. It has been purchased from Watchfire and as an Application Security consultant I have been using it in my daily job for ages. 

The Appscan Enterprise, it the same engine which is used in the Standard version, however, it has a web interface and some useful features like scheduling and saving different digital certificates for different scan jobs.

Appscan Source is what it used to be Ounce Labs. It is a product that can get your source code and point you to the security issues. 

Since I am working with IBM people, and from time to time, they point me to the some public technical information, I think that this is a good place to put it. 


Microsoft SharePoint scanning guidelines

Troubleshoot license issues

the IBM support site is on web sphere.. so be patient .. :)  

Thursday, March 17, 2011

Certificate port binding: SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.

There are very annoying messages in Windows. I will talk here an in the next posts about some of the security related errors and how do they help you to understand the problem.

So here is the thing: you have just Installed the certificate in the certificate store, and you can visually see it, but when you try to bind it to the ip port using netsh or httpcfg (more on this here: http://msdn.microsoft.com/en-us/library/ms733768.aspx) you get an annoying message saying nothing:  A specified logon session does not exist. It may already have been terminated.

 Microsoft Windows [Version 6.1.7600]  
 Copyright (c) 2009 Microsoft Corporation. All rights reserved.  
 C:\Windows\system32>netsh http add sslcert ipport= certhash=3045c0dab3764dd641a3742253c9b22e07acf645 appid={11223344-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable  
 SSL Certificate add failed, Error: 1312  
 A specified logon session does not exist. It may already have been terminated.  

So after some time, of investigating the issue, it seems that the problem is that the certificate must be in the local machine store to be successfully binded with the port. All you have to do is to drag and drop it there

Moving cert with drag and drop is a simple operation. It copies the cert and it's private key.

So now the same command should work

 C:\Windows\system32>netsh http add sslcert ipport= certhash=3045c0dab3764dd641a3742253c9b22e07acf645 appid={11223344-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable  
 SSL Certificate successfully added  

Wednesday, July 21, 2010

Nokia PC suite Contacts Database

Have you ever used nokia PC Suite? It is a cool product by Nokia. Among other cool stuff, it can manage your phone contacts. What I noticed, that the program somehow keeps the keeps the contacts and the calendar information, even though the phone is disconnected from the computer.

After looking in some user directories in the computer, I found some files in the Nokia directory and one of them id "PCCSContact.db". The .db extension told me that is might be some kind of database and opening a file in a notepad showed me that the first string of the file is "SQLite format 3". That is very logical. After all, SQLite is being frequently used by the light code developers, such as Apple with iPhone or Google with Offline Gmail extensions and Gears.

For those who did not know:
From wikipedia:
Unlike client–server database management systems, the SQLite engine is not a standalone process with which the application program communicates. Instead, the SQLite library is linked in and thus becomes an integral part of the application program. The library can also be called dynamically. The application program uses SQLite's functionality through simple function calls, which reduces latency in database access as function calls within a single process are more efficient than inter-process communication. The entire database (definitions, tables, indices, and the data itself) is stored as a single cross-platform file on a host machine. This simple design is achieved by locking the entire database file during writing.

The contact data is stored in Boyce-Codd normal form, which, in English, means that it is nice and compact, but less trivial to read. There is of course more data like modified_time_stamp , emails, details, pictures so if you are looking for data mining or forensics, this is an interesting place as well.

Let's say we want to store myself as a contact in such a way:


uid|number_full |number_type
20 |1234567890 |64

uid|text_data |field_subtype
20 |Ilya |2
20 |Chernyakov |3

As math professors like to say: it is easy to see that tables share the same uid for all the properties of the same contact. Using this SQL query we can read the contact information in a nicer form:

select s.text_data ||' '|| t.text_data as Name , c.number_full as Number
from string_data s, string_data t
join number_data c on s.uid = c.uid
where (s.field_subtype =2 and t.field_subtype = 4)
and s.uid = t.uid
order by 1

I have created a C# dll library that is available at sourceforge. As usual, any comments are welcomed. Please do not use this software to develop nuclear weapons :)


Tuesday, June 15, 2010

Hotel door hacking - By Barry Wels

Funny, I have been doing this for years at my parents' home using the intercom cable, however the guy suggests a universal way to open those locks.

I think that the video deservers our attention.

Taken from https://www.youtube.com/watch?v=7INIRLe7x0Y

And remember: It is not that I am paranoid - people just try to harm me all the time.

Thanks to Avi Douglen for sharing this.