Insecure Data Storage (Access Token exposed) Instagram

instagram
Hello friends this was the issue i founded during my security research while  reversing the instagram app .

during analysis i went towards the juicy part “shared_pref.xml” and hopefully it was having something for me 😀 i digged furthur and founded that it was leaking the fb_access token in clear text  :O i then i tried to check what can be its impact but before doing that i checked the validity of the token and related permission to it . so i opened up the facebook graph api explorer and paste that fetched token in the api and debugged it and other interesting things which i founded were that it was having publish actions ! and long existing time of (2 months ).

So why this is an issue ?

According to OWASP
It is important to threat-model your mobile app to understand the information assets it processes and how the underlying APIs handle those assets. These APIs should store sensitive information securely. Places OWASP most often sees data being stored insecurely include the following:

  • SQLite databases
  • Log Files
  • Plist Files
  • XML Data Stores or Manifest Files
  • Binary data stores
  • Cookie stores
  • SD Card
  • Cloud syncedLet me give you a scenario that .
    attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc .

Let me give you a scenario that .or possible explanation.
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc.

so it was a insecure data storage issue
i immediately reported to facebook about this issue and was waiting eagerly for their reply 😀 .

[+] Tested on 4.2 jellybean android emulator .
Tools used :
[+]adb
[+]Reported on 11 December 2014 14:33

Video poc :

https://drive.google.com/file/d/0B6EUD5GE6yQCU2cxZUFTRVJ1RzQ/view?pli=1

And this was the reply

Facebook security : If your device was rooted ? then its not our issue  !

fb_insta

They rejected this issue just because i tested it on the emulator its my fault it comes pre rooted ? and i was like
blog_word

But still i was not happy with their answer and tried to explain furthur this time some core member of their dev team replied me this

“we appreciate your report but currently I’m going to close out this report. If you feel you have more information to add, feel free to reopen it and add that information.
Thanks,

and they closed it again .

so , later on i asked twitter security team about the same context issue ?

Ans: Hi vishwa thanks for reaching to us we don’t have any issue regarding to the context of device being rooted . if you got any serious issue then we are in eager to hear that .
Regards

twitter dev team .

Similarly i went through the yandex security team and their reply was the same as twitter regarding to the context  .

so this was all guys

thank you for reading this  better luck next time #never give up 🙂

Advertisements

Restricting the user’s to login into their account attacker’s way

Hello friends this is the POC Report belongs to  Magento which i have reported to them !

Issue:
In this when a user request for a password reset then a unique password is being sended to the user’s gmail ,
and the application won’t allow the user to login
until the password at the mail is not being given !
because application is resetting he password automatically without asking the user permissions .

impact:
Attacker can abuse this  functionality easily by requesting
a password reset and restrict the user to login his own account :v for hour’s
until user don’t know that the password is at their mail .

Video Poc:

Reply 😦

reply

Explained Further:
So the attacker will create an easy script in python to launch a password reset request on the behalf of user’s just via email  [Since magento is also vulnerable to  user enumeration bug in which i was able to extract the existing user’s into the magento  due to improper rate limiting ]

so attacker will be giving problem’s to your existing customers  and if the same code is used in enterprise magento then it will effect it too .

[+]Reported
[+]Not patched
[+]Disclosed

That’s all guys for this Report
Thanks for reading 🙂

Ebay Paypal Bug Bounty :Magento XSssed

Hello friends This post is the poc for the critical reflected xss which i have founded at Magento Search  bar . It was critical because the xss was in the search and the worst part was that it was also affecting The enterprise Magento software  (which was premium).

Hunting Process:

I tried first the usual one like “><img src=x onerror=prompt(document.domain);>  and then i constructed some   but all the other characters were filtering and none of them worked out but  interesting part was that while hitting the search i was getting the search result of all the other guys (hunter’s ) with some xss or scripts tags :v . Then i thought it has been already  patched or secure ! But still somewhere  i was having a hope to bypass their applied code then i thought to give a chance with obfuscation then i builded up this one with oldy goldy  hackbar  .

</SCRIPT>’><script>alert(String.fromCharCode(88,83,83))</SCRIPT>

and boom 😀 it just popped out !

magentoxss2
i reported  to them  under their  bug bounty program and unfortunately it was a duplicate one 😦  it has been done by another hunter and he enjoyed the treat of 1000$ ;-?
but still i bypassed ; )
lesson: don’t think so much just give it a shot  may be you will do better then other’s 😀
so this was all  guys  ; )

i hope you liked it  😀
@vishwaraj101