GTFO Mr. User

hi everyone and welcome to my talk and welcome to besides if it's your first day here so I'll be talking a little bit about my experience with some big companies and all they dealt with some security issues and this is the top name so get the [ __ ] out miss tourism by the Viets offers a little bit's about me I work as application security researcher team leader at check marks we play with a lot of things and it's a lot of fun working for them char 49 which I'm the co-founder and chief operating officer which I manage to to have a lot of fun with other pen testers and we play a lot so also pretty different I'm

a carpenter for cobalt yeah you can say that it's still I'm still number one for a rank that for me does not make any sense but still I'm number one I have an Indian guy next to me I hope you catch me because I'm two years - number one so it's boring and I'm a member of a Padres I see the Portuguese organisation and net and last year sorry I was also speaker at besides in this room with talk the way of the bounty in this talk I will not talk about bounty so you think I have a few surprise so let's wait for it so besides way backing or some like someone like OHP first like to call web sheets I also

start playing with IOT especially Bluetooth Low Energy lockpicking I did the small village with my with my pal Dwarfs yesterday I don't know if one of the guys presence here is was there and it was pretty fun speaking about InfoSec in schools in comms and everything I'll I like to send the right message about information of security cycling yeah I love to cycle a mountain bike road bike everything TV shows mr. robot of course you know yeah so and easier I start a new hobby which is also pretty fun and which is running yeah I start running and guess you never know when you need to run faster than the other guys so what I'm

about to to to explain I try to do I've all information related to the companies that I tested because I don't have any I don't want any legal issues on everything and so if you find something related to that please it's not my fault really it wasn't me if it was on the slide I don't care it is a disclaimer so blaming someone else I don't care so the agenda I've explained some vulnerabilities that I found on three large organizations which are called company X Y & Z a little bit about responsible disclosure without being a mess sorry a [ __ ] and also I have a few surprises in the middle or in the end I

really don't know it I will see if people will be standing still in this talk so why why did I did his talk well I choose these companies because company X is a company that's a service provider that I work for company Y was a replication that I used yeah and that's it Company C is an application that I use in the past still don't use it anymore for some reason I don't know why but usually when I install something on my computer or my phone I always try the application first to see ok if it still has any security issue or everything I like to test it before so I will try to explain a little bit what I found and

company X company X invested six million dollars in expansion amazing amazing a big company and a lot of interest in this company I will not of course tell you the name guess what six million and I guess it was not in security some of their clients and they have a lot of a lot of them ill turn up on nightly Airlines which also is I also want a bug bounty not related to this thought but yeah I won back one to ninety Airlines and donated to cancer research IKEA Citroen and [ __ ] for this is one of their thousands of clients so what did I found it was a problem in the EP API

this is a small example what I did send the link to mr. beam mr. beam receives my link and your API access is mine no problem but I was playing it in a better way so it's quite simple I just send a cross-site request forgery to as a new entry to the API list the the vulnerable applicative honorable field was the description of the API and was a cross-site scripting pillow pretty simple everyone can do with these but when I was doing this I noticed that they had a cross-site protection cross side scripting protection and I was like damn I could do something more with that and I just found that using something very hard

which is where helding encoding I bypassed it yeah it just changed the a couple of of symbols to X and clothing and you're done and I got my start CSS this is a small example of what I did I start the JavaScript file on my on my domain this is the pelo I get the first elements of the the box where the API is but I did not stole the I I did not stop the the the first the then the API key that I added all right so the first one which is the original one so if the attacker this is a example if the guy just checks the the API section of the application I hope I

cannot say that the companies damn you can see that I stole the API key and I can do everything with it the victim triggers the starch SS and the original IP key which is the first and I did it I will go I did using here I don't want my added payload I just want the first one which is the original one because if the victim will see something new added to the API list okay I will remove it I didn't edit it so they remove the the that API and I remove the original that's what I want so and I explain it here so if the victim detects the cross side scripting payload I already have

the original one which I'm sure they already using somewhere and will be very hard to change it and everything so and I guess the application doesn't have also refresh on the original key so it's mine anyway so what what could I do with them yeah I can do everything with an API key as you may know you can download old company X company X clients DB spoof clients ID and creates company landing pages and upload malicious files to their cloud and stuff like that always it was and you can see that it was pretty easy I just found a net protected form I use cross-site request forgery cross-site scripting I started I grabbed the API key and came over that's it it's

mine and it's very simple using two vulnerabilities that are very common very easy to find and you have the company almost in your hands but not over yeah I also have follow-up of extension by pairs open redirects ESP injection still not very very dangerous things that's why I call I told that API key was much more interesting because I have the information from the company and I also found one of my my favorite vulnerabilities reflected five download where I hope I yeah I did the company name and which I can trigger I can create double files to the victims and everything also across another cross-site scripting cross-site request forgery where I could change the all of

the call vaccines not to their to the company's website but to my website everything goes through my domain the important thing in this and I won't like to end I would like to focus is the vendor response this is one of my main focus in this in this talk well I try contacting them by email which was very wrong I did not get any reply I tried support tickets again not very with not any success and Twitter yeah I got some treats regarding so I can provide the security information so I try to contact using Twitter they forwarded to the security team no reply ask for Anna plate same reply for her to security team check the dates okay ask for

another update yeah it almost eight months lower six I don't know and III to to make this faster I eyeball the the curious things so we San fixed all the issues you seems amazing we appreciate your help thank you after yeah a long time and but it's not over I told them directly that they suck in security and requested a full disclosure I literally didn't say suck they just told them that you're very bad not suck so they told me no we care about security will contact you shortly and three months later I just tweeted shortly and I'm sorry but about like a response your situation is new to me new to me what the hell man you almost a year F

past in it's new to you I've asked your manager about this and this type of situations happen a lot in the three cases that I will present in this talk is regarding this the the lack of reply of many organizations and after this date I just wait okay so I'm still waiting it's a shame but let's pass to the company why company why I was very interesting because it was a was no he's Android application with a lot of downloads and used by some guys 6.5 million million people it's featured in Forbes and this time they awarded me amazing awarded me and I was very happy with it but I will show you later what's the problem in here I have no pen

testing skills in Android I'm very bad in it I lived to my other partners colleagues and everything which are more experienced than me I just burped the request if you don't know burped I don't know if I was the inventor of this world I guess no but it's lingo for the art of using Berg proxy I'm not gaining any type of money just publicity I think verb but burp is an excellent tool still and professional or free version it doesn't matter so what I did I request is i intercepted the requests from from work and I checked simple API call with my user ID and my token which is rejected because it's not rotating it's

still the same so you have to war l you have the user ID and you have redacted my authorization which returned something like this ok yeah my name right incorrectly I don't know it's no okay my email no problem it's public notifications because I don't have many information it's almost empty what is today Tuesday okay no so I have these I don't know if you guys already thinking what you can do with this well I I usually think like that so what if my token could be used for for something more interesting and I tried I tried using a lower number and it failed and I was like damn man that's I really thought that my token will work with

other user IDs so usually in security you never should quit and you should try everything and thinking outside of the box and it should be something I really wanted that database not malicious okay but I wanted to test it because it was an application for a client and I needed to so what I did I found three numbers yeah with my own token and I got someone else information yeah find first last name email which is redacted but this is the real name the same user ID they have the profile picture which which is connected to the Facebook and in this request you don't have too many information about the images and videos because you can upload and everything

then you have the profile picture and other information but besides I just didn't done a number I tested two three and I got reply and so okay I have maybe the 6.5 million users I created a small Python script very bad Python script I just want to prove my case and I got a lot of information and they acknowledge me I contacted them yeah I got a little feedback and was very nice reward and you can check it so it's not bad I even tried to buy a book nd it was not was not enough and yeah so so I told him well the same company hey what the hell man okay it was an effort right they

featured in Forbes and they have so many clients paid Skylab clients okay but doesn't care company who I fixed it I found another way to bypass it very easy not three but six other vulnerability is still in place so get the [ __ ] out and for the response I it was also very funny not only because of the the reward but again email not sparked ticket not Twitter yeah so first contact this is very cool really they know about you hole to hole okay you have a hole in our application and they told me that folks who can route their phone can see these logs I don't know what they are talking about we're going to fix it soon because

we care about privacy of course we care about privacy and don't want to expose personal information yeah I just download your six point five million users so yeah to expose that they become my friends like hey David can you wait at least six months for us to fix the bug yeah they care about security and privacy six months I think it's enough so yeah requesting a plate and you can see also the dates they are very fast and if they fixed in a branch but can be released and until next year requesting a plates March okay - everything is good we're going though this is amazing and it confuses me a little bit we're going

to encrypt our logging sorry but my god the only issue that we use the logging in every support email to see what's going on with users I don't understand this anything okay I'm Portuguese are not native language native but again I'm still confused when we can't replicate an issue in-house so we're trying to figure out to decrypt our support stuff what they are trying to fix really I don't have a clue what they are talking about this I don't know if they still receive my my communication or they are reading any any other any other report I don't know but what the hell the issue they will to get users information is a certain way

fixed yes in a certain way we protect your information in a certain way so this Jesus can wait until November yeah more than a year yeah we care about privacy and security and again at the time we don't want to open any security issues through the internet again I don't know why we will notify you when we are ready and they were ready yeah so I'm still waiting ok to the last company which is Company Z also a mobile application again no experiencing enjoy pen testing so this is a very big application very big you can see the numbers amazing they create applications for Microsoft sorry Samsung and Yahoo and while were listed in Forbes like a

major company fast-growing I don't know how much money they have so we got user enumeration and that the matific ation they are little simple but special identification was very interesting again after intercepting requests which the only thing I do in Android I saw a post request which this is what I can explain a little bit about what the application do it's like a remote control for your TV ok so it's pretty simple I plated my my account at the time I was 34 I'm not lying I was a male still and this I noticed my user user ID so nothing else so what is return okay my ID my operator and some reference of the phone that I used not

will be my phone anymore but and relevant information but using this same method this was easier because it was just donning a number or a power number so it was a sequential number so I created another shitty script in Python and enumerate all the users and grabs H TV operator country device model you name it it was this was the shitty peyten yeah very bad and also using no Microsoft yeah but well the most dangerous thing was the possibility of modifying user data without HTTP or authorization sorry they are saying what I don't know about okay and I could change some user information even corrupting it and application if you corrupt with invalid data it will crash

the application and you need to remove the application in install it again amazing so I did other things so I start playing with it I checked what would be funny to send them a little Pusey I noticed that you can change favorite movies ok I already think that some guys already thing favorite movies change email and recover to the passer ok can take over yeah this is awesome but I don't care and add channels to rooms that was really funny yeah some people are already laughing so I used it so the channel at channels I just use post requests on the companies he scheduled new channel to these ID to his room ID which is one for

example you have three rooms one bedroom one living room so I don't know whose room ID 3 is somewhere where the TV is so and I change to a particular ID and I wonder what channel is easy I know what is the ID you'll see on the next slide and so you think it's for me no yeah victim turns the TV remotely because I'm at my place so victim turns the TV and watch something on the room ID 3 damn yeah the notifications or the window response was also very interesting email false part ticket false and Twitter true yeah tweet a lot first this is was the best no the contrary it was the worst one

because I get almost no reply they only treated me telling me they old we have tasted the application you yeah ok cool but still it's same issues and I don't know don't I'm gonna tell the coming so I don't tell how do not use this company this because the application is inside almost every Android phone responsible disclosure ok what was my biggest issue I think you can guess it is try to contact the company where do I find any information or where they have or the [ __ ] the security company of the company yeah you enter the website and you check ok I found security issues I have a remote control are see I have

you name it and where should I contact the company I don't have an email you have a sometimes I have a contact form that replies automatically I don't have anything sometimes one year two years it's amazing so I did some statistics about it and I noticed that social network nowadays it's very important just because some of again I can enumerate it that's email yeah I got two and ten Twitter 1810 LinkedIn eight and ten very interesting Sean yeah I found some companies sometimes usually like some Indian guys answer and they really don't understand what I'm talking about so it does but ok sometimes you it will because three times it's work support ticket one amazing these systems amazing they

really work so I noticed that social networks are very important to to contact and to communicate information so why it's simple if you if you identify the company in your timeline for example in Twitter its it's a public information other companies can see it other clients can see it so they need to reply they need the feedback from some somewhere you know so in case of LinkedIn I also try to reach the security people I search when they accept it of course my my my request and or the sea level I don't want to contact the developer it doesn't know so usually a they don't understand what I'm talking about either so and usually also they

are Indians didn't try to use Facebook because I don't use it I use it only in some rare cases what do I usually do this is a simple model what I usually send to when reporting it I try to contact with a small introduction where am I and everything what I do also I try every time to who and a full report with information that I discovered especially if you can accompany with the video images good images not like the other one vulnerability references or any articles that you think that could help the receiver to understand better you're your your report and depending on the severity try to get in a plate regularly not like each week or each day I tried

like one per month if 90 days have passed since the last communication I am trying to say 90 days but oh sorry because okay I'm sorry it was the way this one 90 days because we will also use it and I think it's a good time line to solve the situations but this also happens in bug bounty yeah this also happens for example US Department of Defense I took this information from my Quran from my account I don't know if it's what we cannot but really so US Department of Defense five months time to resolution too long really I still have two reports to get any first response they say three days we have to waiting for I have a

cross-site scripting in a sequel injection on the US Department of Defense and still I don't see these three days on first response but okay but still five months time to resolution Agathe which is part from booking company bounty when you're not bad 11 months to two to get a resolution also not very fancy see imager incredible nine months as you can see that there's a pattern okay Yelp seven months I'm thinking wait seven months to fix something really and sometimes they are dangerous things for example the US Department of it the sequin injection I got contacts for military and a navy and this should it's only in fixing a single injection a use permit premised permit

rise queries or something like that it's not very hard okay it's a plating as old side so good am i seven months okay by who they might just rip videos from other people so okay bounties first of all I this is part of one of my surprises I want to ask to everyone which is here who already received the bounty one person damn two three okay the other people at the end of this talk I have a few surprise for the other people but I only have thirty two so at the end of this talk first serve first come first serve so really it's important taking back to my talk responsibly is closer okay why I didn't

disclose the names of these three companies first they don't deserve my time they first day deserve my time but now I don't care in publicity many of my clients are using it so it's bad for my clients and don't care about them but I care about my clients so against my advice I told them don't use it but they need it and it's that's problem and to affirm to ask me politely not to you know I can't say anymore it's enough and not related two to three companies I found a very maybe the top five sides in Portugal let's have this simple file which I know that most of you know what it is and it was visible to the public

you can use research or dear Buster to check some of these files and you can check some of the things there are some clues okay I know they use PHP I know the SSH to something and also they type some password which is redacted I also know they have the config file and made a backup name like this which might be accessible I don't know also the email and a nest if ftp some internal server that they have if you refresh the page a couple of times you see new things and some of them are really funny like typing wrong my next comments and everything it's really it seems like kevin Mitnick doing some hacking on nowadays in the 90s and

knowing I tried also to contact these guys it was not very very easy because it was the only one that didn't answer my phone calls didn't reply to any email Twitter no and sport ticket no so I tried everything and no reply so far so this was an experience for me because each time I audits or research new things inclusively nowadays I'm more I'm stopped using like OSU prefer sweets which is over there and tell web sheets I'm stopping using web sheets and going to our Etsy and even in IOT the vendor response is like piece of crap you know no reply so far so this is it so if you have any questions feel free to do it I

can try to answer if I know [Applause]