4 million user information easily leaked and questions about the status of network security in Vietnam

Exordium

The lack of privacy, lack of user privacy control is occurring in many businesses in Vietnam and around the world. This problem is not new, not difficult to overcome, but has been and is being overlooked. And the main purpose of this article is warning businesses and organizations as well as users, please pay more attention to the issue of Information Security urgent now.

Because of the respect and do not want to reduce the reputation of this company / organization. I would like to remain anonymous and call them X .

How did I find this hole by chance?

I'm a user of X, and one day when using X 's Android app on my phone, I discovered that I could access other sensitive information such as email, Address, ... This is a feature of the application, allowing users to communicate with each other, perhaps nobody pay attention to. However, in the judgment and experience, this function if not secured properly, hackers can spoof the request identical to the server application of X and then get all the information users. X has a huge number of users - MILLIONS , so if this is feasible, this is a serious security breach.

From judgment to reality

Starting with this thought, I proceeded to analyze the requests that X 's application had . I use ARC Welder to run X application on my computer and Fiddler to capture all requests coming out from that application. Finished configuration, try to open the application up and use some basic features, Fiddler immediately caught a lot of 
interesting information : rub, you can see the application request to pages of the form Https: // x-server-api / profile / id-users , try copying the urls of these pages and accessing with a trial browser is even more amazing: 
You can see that I can completely Obtain the user's information through the browser, this means:

• Retrieving user information requires only ID, but the ID is self-raised by Database (auto_increment) so only for 1 to max scan, hacker can retrieve all user information.
• This API has no authentication method, including authorization token or authorization header, and so on. Even API passes arguments through GET rather than POST .

To this point, my judgment is correct. It is dangerous, this information if falling into the wrong hands will cause serious consequences.

Determine how many users are affected

The vulnerability is so serious, but the question is how many users through X have been exposed? To answer this question, I proceed to determine by classic guessing method .

Since the ID in the API retrieves the above information by incrementing the ID by the database (one additional user ID is incremented by 1), it is easy to determine the number of hits easily by finding the Min ID and finding Max. ID . 
Find Min ID is simple, run from 1 and gradually increase until the API returns information. And right from the 1st, the API has shown a user (probably the first user of X ). 
Continue to find Max ID , X is a big company so I boldly try out the number 1 million (1000000), API is not error, up to 2 million, still not always, rub much, The same API indicates an error with the number 5 MILLION . This means more than 4 MILLION users in Vietnam are affected (more than 4 million 100 thousands). An extremely high number, compared with the number of Internet users in Vietnam (source) by the year 06/2016 is 52 million users, every one of 13 Internet users in Vietnam has a person has been exposed information. .

Search for holes

Android applications can easily decode and view the original code, so I proceeded to decompress the APK file of the X application for review. 
We just need to care about 2 files are classes.dexand classes2.dex, here are 2 files save java code in binary form. Continue to extract these two files using the dex2jax tool . Extract a lot of java code files, if you spend a lot of time, I decided to use the grep tool to find the file containing the code associated with the hole. 
It is easy to identify three files that are linked Config.java, ApiConfig.javaand XService.java, try to open these three files Sublime Textfor a closer look.

The first is the file Config.java, which configures the path to the server API along with the authorization keys (why the API does not use this one for security reasons?)Next is the file ApiConfig.java, exactly as the name implies. of it, this file contains the configuration related to API X . 
Finally, the most important file we need to consider is the file XService.java, which contains a series of methods that interact with the API . And I easily find the method we are most interested in here: This 
method is passed to the user ID ( String str) and Request to API (API URL is configured in the above two files). This is the place where information is lost.

Solution:

• Changing use of IDs increases with randomly generated IDs for each user (on an X server that has hash_id do this but somehow does not use it).
• Eliminate sensitive user information via the API, keeping only the things you need.
• Added feature to only send sensitive information to others if the user allows.
• Add the authorization key, authorization header needed for the API.
• Limit the number of API calls per IP.
• Obfuscate code to make it harder for hackers to read code.

Questions about cybersecurity in Vietnam through this incident

Question 1: Is our information secure?

I am a security researcher who uses a variety of methods and habits to keep my information confidential. But just one web page, the one I use is attacked, the bad guys can easily get this information and proceed to attack me no matter how many security methods I apply. . And you? Are you a lucky person not on the list of 4 million users and countless other information disclosures?

Question 2: Do businesses and organizations in Vietnam pay attention to network security?

The issue of exposing user information via the API is not the first. Lozi cases of 2 million users by Pham Huy Hoang discovered or similar to the figure of 3 million by Blogger Juno_Okyo found and now has reached 4 million shows the alarming situation of the poor The heart of the business, organization with the problem of information security.

Question 3: Question for everyone

Somewhere out there, on the impetus of the development of information technology today, how many similar holes still exist?

POC (Proof of Concept)

Timeline

• 15:11 19/02/2017: Email the gap report to X.
• 11:01 20/02/2017: X contact by phone, discussing that the hole is being technically reviewed and patched.
• 17:05 23/02/2017: After more than 3 days, this serious hole has not been patched X. The only action of X is to obfuscate the android application code and update it (even without modifying the code). However, the main part of the vulnerability is that the API has not yet adopted any security measures. For that reason I decided to post this article to warn users who are being threatened by the vulnerability.
• 24/02/2017 16:30: Meet the direct representation of X on the office of the X and exchange some information.

Source Yabeow.com : View Thread - Bui Dai Gia - Translation: Nguyen Trung Nhan