Skip to main content

4 million user information easily leaked and questions about the status of network security in Vietnam

Exordium
The lack of privacy, lack of user privacy control is occurring in many businesses in Vietnam and around the world. This problem is not new, not difficult to overcome, but has been and is being overlooked. And the main purpose of this article is warning businesses and organizations as well as users, please pay more attention to the issue of Information Security urgent now.
Because of the respect and do not want to reduce the reputation of this company / organization. I would like to remain anonymous and call them X .
How did I find this hole by chance?
I'm a user of X, and one day when using X 's Android app on my phone, I discovered that I could access other sensitive information such as email, Address, ... This is a feature of the application, allowing users to communicate with each other, perhaps nobody pay attention to. However, in the judgment and experience, this function if not secured properly, hackers can spoof the request identical to the server application of X and then get all the information users. X has a huge number of users - MILLIONS , so if this is feasible, this is a serious security breach.
From judgment to reality
Starting with this thought, I proceeded to analyze the requests that X 's application had . I use ARC Welder to run X application on my computer and Fiddler to capture all requests coming out from that application. Finished configuration, try to open the application up and use some basic features, Fiddler immediately caught a lot of 
Fiddler captures the X android app requestinteresting information rub, you can see the application request to pages of the form Https: // x-server-api / profile / id-users , try copying the urls of these pages and accessing with a trial browser is even more amazing: 
Api get user public informationsYou can see that I can completely Obtain the user's information through the browser, this means:
  • Retrieving user information requires only ID, but the ID is self-raised by Database (auto_increment) so only for 1 to max scan, hacker can retrieve all user information.
  • This API has no authentication method, including authorization token or authorization header, and so on. Even API passes arguments through GET rather than POST .
To this point, my judgment is correct. It is dangerous, this information if falling into the wrong hands will cause serious consequences.
Determine how many users are affected
The vulnerability is so serious, but the question is how many users through X have been exposed? To answer this question, I proceed to determine by classic guessing method .
Since the ID in the API retrieves the above information by incrementing the ID by the database (one additional user ID is incremented by 1), it is easy to determine the number of hits easily by finding the Min ID and finding Max. ID . 
Find Min ID is simple, run from 1 and gradually increase until the API returns information. And right from the 1st, the API has shown a user (probably the first user of X ). 
Continue to find Max ID , X is a big company so I boldly try out the number 1 million (1000000), API is not error, up to 2 million, still not always, rub much, The same API indicates an error with the number 5 MILLION . This means more than 4 MILLION users in Vietnam are affected (more than 4 million 100 thousands). An extremely high number, compared with the number of Internet users in Vietnam (source) by the year 06/2016 is 52 million users, every one of 13 Internet users in Vietnam has a person has been exposed information. .
Search for holes
Android applications can easily decode and view the original code, so I proceeded to decompress the APK file of the X application for review. 
Extract X android appWe just need to care about 2 files are classes.dexand classes2.dex, here are 2 files save java code in binary form. Continue to extract these two files using the dex2jax tool Extract a lot of java code files, if you spend a lot of time, I decided to use the grep tool to find the file containing the code associated with the hole. 
Grep find vulnerable files 1Grep find vulnerable files 2It is easy to identify three files that are linked Config.javaApiConfig.javaand XService.java, try to open these three files Sublime Textfor a closer look.
The first is the file Config.java, which configures the path to the server API along with the authorization keys (why the API does not use this one for security reasons?)X Api ConfigNext is the file ApiConfig.java, exactly as the name implies. of it, this file contains the configuration related to API X . 
X Api Config DetailFinally, the most important file we need to consider is the file XService.java, which contains a series of methods that interact with the API . And I easily find the method we are most interested in here: This 
Request Public Profile Methodmethod is passed to the user ID ( String str) and Request to API (API URL is configured in the above two files). This is the place where information is lost.
Solution:
  • Changing use of IDs increases with randomly generated IDs for each user (on an X server that has hash_id do this but somehow does not use it).
  • Eliminate sensitive user information via the API, keeping only the things you need.
  • Added feature to only send sensitive information to others if the user allows.
  • Add the authorization key, authorization header needed for the API.
  • Limit the number of API calls per IP.
  • Obfuscate code to make it harder for hackers to read code.
Questions about cybersecurity in Vietnam through this incident
Question 1: Is our information secure?
I am a security researcher who uses a variety of methods and habits to keep my information confidential. But just one web page, the one I use is attacked, the bad guys can easily get this information and proceed to attack me no matter how many security methods I apply. . And you? Are you a lucky person not on the list of 4 million users and countless other information disclosures?
Question 2: Do businesses and organizations in Vietnam pay attention to network security?
The issue of exposing user information via the API is not the first. Lozi cases of 2 million users by Pham Huy Hoang discovered or similar to the figure of 3 million by Blogger Juno_Okyo found and now has reached 4 million shows the alarming situation of the poor The heart of the business, organization with the problem of information security.
Question 3: Question for everyone
Somewhere out there, on the impetus of the development of information technology today, how many similar holes still exist?
POC (Proof of Concept)
Exploit X Server
Timeline
  • 15:11 19/02/2017: Email the gap report to X.
  • 11:01 20/02/2017: X contact by phone, discussing that the hole is being technically reviewed and patched.
  • 17:05 23/02/2017: After more than 3 days, this serious hole has not been patched X. The only action of X is to obfuscate the android application code and update it (even without modifying the code). However, the main part of the vulnerability is that the API has not yet adopted any security measures. For that reason I decided to post this article to warn users who are being threatened by the vulnerability.
  • 24/02/2017 16:30: Meet the direct representation of X on the office of the X and exchange some information.
Source Yabeow.com : View Thread - Bui Dai Gia - Translation: Nguyen Trung Nhan


Comments

Post a Comment

Popular posts from this blog

Modern robots planned to drill Saigon underground from 26/5

As planned, on May 26, the robot tunneling will officially operate, construction of the 781 m long underground. According to a statement issued by the contractor directly operating underground metro drilling robot, the staff of this unit consists of 17 foreign experts, 5 engineers and 25 Vietnamese workers will operate TBM tunnel drilling machine. From Ba Son Station to Ho Chi Minh City Theater Station. Install underground tunnel drilling robot. As planned, on May 26, this tunnel robot will be officially operated, construction of the 781 m long underground section.  This is the item of package 1b of the metro line 1 (Ben Thanh - Suoi Tien) contractor contractor Shimizu - Meada (Japan).  Ben Thanh - Suoi Tien will be the first metro line in Vietnam to excavate tunnels underground TBM machine with a tunnel diameter up to 6.79 m.  The modern TBM submersible robot from Japan has a total length of 70 m, weighs 300 tons, is being assembled by the unit to exc...
Post a Comment
Read more

Inaugural speech of the Prime Minister at the press aptitude exam

With 120 minutes, talented contestants on the Academy Press & propaganda 2016 to editorial text referring to the inauguration speech of Prime Minister Nguyen Xuan Phuc and analyze the relationship between the economic development with environmental protection. Be careful with the "trapping" events On 15 h this afternoon (10/8), the contestants move into the Academy Press propaganda 2016 exam essay courses. With 120 seconds, the contestant must text editor mentioned the inauguration speech of Prime Minister Nguyen Xuan Phuc and analyze the relationship between the economic development with environmental protection. According to journalist visiting faculty, Knowledge-head of event Records, Communist Magazine: "With 120 minute time, meditation on the structure theme here is pretty reasonable. The examinations are quite the medium power with students, and have the ability to sort the good ". However, according to the journalist, with the Knowledge of the "traps...
Post a Comment
Read more

Yahoo's tragedy: life in life not knowing who you are

The fall of an Empire was once the gate takes the user to the World Wide Web derived from the Golden date, when not one of Yahoo employees actually understand their names associated with the field. In 2006, at a hotel in San Jose, California, United States, Yahoo held a summer holiday dedicated to the leadership of the company. At this time, Yahoo still is one of the "giants of the Internet" and I still don't have any signs of difficulties at all. On the contrary, when stepping through the tenth birthday, Yahoo still are on the peak. In the previous year, "the Internet giant" has already achieved 1.9 billion profit on revenue of 5.3 billion.The difficult days of the dot-com crisis was drifting away and at this Yahoo is enjoying dominant position on one of the "hot" areas for the world to gain a fertile advertising contracts with the world's most famous brands. But, in a game held at the Hotel San Jose, the head of Yahoo has asked a question interes...
Post a Comment
Read more