BSidesNCL 2020 @BeeFaauBee09: From Z3R0 to H3R0

the wonderful uh not sure which name to introduce yes man do you want to come off camera hi man how are we doing here we go i'm great how are you i'm i'm absolutely grind so up next we have friends and an awesome well-rounded dudes who is absolutely brilliant we have the journey from discovering vulnerabilities towards disclosure now i've seen some version of this talk and it's absolutely brilliant um b i'm gonna pass it over to you if you don't follow b on twitter you absolutely should he's a lovely guy and he knows his stuff b take away man it is hot for the introduction uh i guess uh that was pretty long but again

thank you uh so let me get my things up right and i guess it's up right there let's try this oops sorry all right so hello everyone uh hope you're doing well it's saturday i guess you're enjoying the weekend everybody is staying home i believe due to the pandemic and thank you for joining so just an introduction about myself i do the security stuff for a bank here in pakistan and been doing security for around six to seven years so mainly focused on the red teaming android is one of my interests and you can say hobbies well so i look into the android stuff at my day-to-day tasks sometimes and sometimes when i i'm done with my official

engagement so when i'm back home i uh just do it for um just for the hobby as well as you know just making a contribution to the community so with that uh we are our hackers i guess everybody has joined us but again if you are if you have joined it as a coder now you can claim yourself to be a hacker because uh you have you have seen a lot of things you have heard a lot of things like uh sean was discussing about something with respect to one ability uh patching and stuff like that so with that you can get a lot of knowledge about you know the information security uh like in in terms of career

in terms of you know doing stuff around it so uh when we talk about the hackers most of time we are looking after these security vulnerabilities at the wonder abilities or vulnerability or whatever you call it anyways uh mostly we are focusing on stuff like what are the loopholes what are the weaknesses and uh most of the time most of us maybe like we find these kind of stuff while we are using the application so let's take an example i'll take example of myself like i used one of the application uh for food ordering or for for cab driving or for let's say like getting capped to my home so while i was exploring the application i

found that there's something fishy going on and when i start exploring that it was indeed a fishy thing so i had to report to the relative part the person who was dealing with the application so yeah uh one of the factors while we are researching about the vulnerabilities is you care about the data you care about the stuff that you have put in the application and you are really worried about the details you have put out so uh the second thing is uh yeah everybody wants to make internet a better place so let's say [Music] we do researching some of us like sean does a great job the beer farmers do their job in like

in terms of awareness and there are a couple of other people out there like i mean i cannot i cannot remember their name but again if you start searching for the security researchers you'll get a lot of people not the one who claimed to be you know have done hacking or cracking back in 90s and 80s but the modern age ones so again uh making an internet better place to live in and we strive to you know find such kind of bugs such kind of vulnerabilities such kind of weaknesses and uh we make sure that these vulnerabilities are passed because they sometimes affect the privacy of a customer of an organization of an individual or sometimes it tends to be

a violation of human rights as well so most of the time we look out for stuff that are you know very we are very careful and very very dear to us and yeah some of them actually make living out of it so there are a lot of platforms out there they have open programs and they have opened their perk penalty you can say programs for people to join in and hack for them legally within the scope and yeah they make a good living out of it so i was reading a report back in march and not know back in may or june i guess where there was a dis there was a vulnerability disclosed by apple

and uh yeah that was a huge amount uh being paid to the security researcher and the recent one uh the security researcher found a very great vulnerability in slack and he got paid like i would say that this is my own personal opinion that uh the payout for that vulnerability was pretty low but again that's totally the organization decision of paying out the vulnerability for bounties to the researchers and yeah it's a good thing for people to do it in their free time or whenever they want to do it like just sit in front of your laptop if you're in your pc and do it and few of us are the individuals who actually find these kind of bugs to you know

i don't want to name them but again they kind of create a havoc around the world try to you know get as much as data on the people try to you know disrupt the operations uh the uk ukrainian electric company was an example that was attacked so that again involves the black hat activity and yeah they do it they do they do it for a political reason for a reason that motivates them politically and then there comes a group of hackers or no i won't call them researchers i would call them hackers black hat hackers who just had for the fun who just want to troll someone who just want to you know beat the shirt

out of someone and which is i mean that's a that's a very wrong practice so a lot of uh blab about the hackers and the the types the hats of hackers uh but this is something we usually come across while searching for hackers on a popular you can say encyclopedias like wiki wikipedia as one of them and they have given a very neutral kind of you know opinion of the hackers that there are group of hackers who are basically skill programmers or sometimes they are skilled network uh infrastructure guys but again uh the information security or the cyber security domain does not requires you to learn you know a prereq stuff to get into the security

if you want to get into information security just google it and you'll find stuff around that and you can you can do anything i mean if you want to be a pen tester if you want to be a bug bounty hunter if you want to be security analyst if you want to be someone who deals with the incident response just google that so i guess the explanation given by the wikipedia is pretty different then the community or the uh industry that works around all right so let's talk about the vulnerabilities uh so while i was doing the researching stuff most of the applications i found had no code obfuscation so let's say there was an application

i previously discussed which said it was a cab application so it had no code obfuscation so what basically code obfuscation does is it doesn't actually encrypts your code rather it creates a separate class uh create a combination of uh of classes with a different kind of name so it doesn't actually looks a realistic name to you and then you you just you know you cannot get the functionality or the parameters that have been using the application and the other interesting stuff i found in all of my security researching part was the api credentials been hard coded within the application so while developing the android and android actually has three different platforms which we can utilize for developing the

applications one of them is uh the native application the native android or the kotlin the other one is the flutter and the third one is the cross platform like uh the react native kind of stuff so before the react native uh we used to find applications built on cordova ionic which again uses the javascript or let's say the webview api of the android and you know uh most of mostly you will find these files within the asset folder of the android application so let's say if anybody's familiar with angular angularjs they would actually find all of these functions the modules uh the controllers within that folder or within that folder tree i've mentioned above so yeah

uh in most of the cases these api credentials are hard coded just to make sure that the application you know runs smoothly and i was listening to a talk uh that was being given by again the beer farmers and it was about the process management of application development like when most of the people are really curious about the deployment or about their production pipeline so they want their stuff to be deployed on production as soon as possible and in all of that phase we forget or we you know totally ignore the part where this information security or where the cyber security kicks it so let's say if you are a software company you want to deploy your

application because the company competitor has actually got the idea uh and you just want to make it work more faster than them uh you just restrict the developers to you know certain days and ask them to deploy them as soon as possible and obviously uh their everything requires time everything requires a certain amount of um you can say efforts to be invested in and then we've you know in all of this hustle and bustle we miss a lot of part and which later on turns out to be one of the worst nightmares for people who are actually managing the financial applications so yeah there was just one financial application you can say semi financial application that

had the api credentials hard coded within the application which was which is really a bad practice even though if you want to hard code any sort of credentials don't do that rather use the google library which provides you the token for you know accessing relevant information and in i mean when you browse a website of a corporate application you find that on a parameter which we usually call that https some of them consider that that as the most secure uh protocol for accessing the applications but again it requires configuration on the back end to you know allow the tls and then tls like combining the tls and ssl to work so that you know reduces the risk of

the data have been show been traveling in clear text and when we are talking about mobile applications specifically most of them don't have an ssl pinning or social certificate on that so let's say uh in my in my own survey i found 40 to 30 percent of the application so say 38 percent let's say just let's just cut it out to 40 percent so the 40 of the applications i found on google play store or like most of them didn't had ssl pinning and most of them were communicating on the cleartext protocol so let's say if you have a malicious entity in your network and you are doing a financial transaction uh that entity or that malaysia sector

would actually get all of the credentials and later on you know you have to you have to be you have to you know try to control all of the amount of uh the pr disaster that happens after the hacks so um then there was another application which had okay so this is something very important to me and i wanted to you know take more time on discussing this uh while most of the bug bounty hunters look for the google map apis like you know if it has access to other resources but missed the part where you know it has other sub modules that can be utilized to the same google api so in my experience this was this

uh this i was accessing this application and it had a google api which they actually the application was built on uh built on you know native uh platform and they were using firebase for the database and as well as uh they were using google apis like the google identity toolkit to integrate the i mean to manage the user registration user logging in and vice versa so google uh identity so while when i was looking into this application i found some really really interesting stuff and uh before i talk more about the application let's uh discuss about what that application was surely i cannot disclose the name you do the confidential reasons but again almost 1.5 million downloads on both

applications on both app stores let's say android app and io uh what do we call that apple play store oh no sorry excuse me it was play store for the google and the app store for the ios so the cumulative downloads was around 1.5 million and they were providing premium services so let's say if you wanted to design a card a greeting card for someone let's say if i want to send a greeting card a happy birthday card to scott in scotland i can design that through that application and ask them to ship it to scotland so there are issues with the shipment but again uh that they had these this premium service to you know allow users to

send goodies gifts around the world i had a really great reputation so let's say the feedback they uh i was looking looking towards their feedback from the customers and from the support and it really had a great customer support so what i thought was uh the application uh owner or the business owner of the application was really really uh interested in the feedback of the customers and they were really careful about the reputation on their uh both app stores and yeah as i already explained that they were using firebase for data storage and google platform for development and then uh if you can see on the right side i shared a screenshot of the google

identity toolkit so what it basically does is it provides a certain uh certain functions which you can utilize within your application to let's say let's take an example of deleting an account so you pass a token to this id toolkit and then it deletes that specific account from your database from your instance the other one is get account info so if you uh get it get the key for that specific account you can find out all the account details of that person who owns that account so yeah moving forward with this interesting a feature of the google identity toolkit which says get account info so while i was exploring this part so uh i guess uh there must be a

confusion around going on around the people like if i had actually exploited the google identity toolkit or if there was something related to the google identity toolkit in the application so yeah the second part is the correct one the application was using the google identity toolkit to manage their customers logging in logging out of the application but they were not actually making it making it in a more secure way rather they were passing certain parameters within their restful apis to make sure i mean to achieve their business goal whatever the business perspective business process that was involved so yeah uh this one this this function was really really interesting for me to explore forward so while i was exploring this uh

function for the google identity toolkit there was again the misconfiguration of the identity and access manual too there was a non-claimed email address of the company which i found through osn so again i would like to pitch in the beer farmers uh uh i mean they uh scott was one of them who uh did a poison pace workshop uh i guess a month ago and that was really interesting and i learned and i learned a lot of stuff from them as well so a few few of the skills i had earlier like i use a few of stuff but with that i knew a lot more and when i saw like earlier when i saw

there was an unclaimed email address i can actually create a password request through that same email address and it would actually give me the you know information for that specific owner and then here when i was discussing about the identity toolkit and the parameters that were that were passed within the restful api uh there were some ids the id let's say if you are a user one and i'm user two so the application would actually get details for you by getting the id the user id through restful api so that makes a concrete case for either base attacking uh scenarios and it was time to disclose the vulnerabilities so yeah i disclosed the vulnerability to their engineering department but

before going towards their engineering department i found they were very curious and very focused about their customer support so i found their support portal and i submitted the form to their support portal guys and i asked them that i want someone i want to contact someone from their engineering department because i found some vulnerabilities that are really really bad uh and that needs to be fixed that needs to be patched and i cannot discuss that on the public forum because that would let everyone everybody know about it and it would be very helpful for them to create a separate a private platform so that i can communicate with them in a more secure way so they created a

ticket for me a support ticket normally the guys when see stuff like that they create a ticket for you they ask you to you know upload your stuff there i upload the stuff there got a good news but the astonishing news was uh they were they were rewarding me for my work so that was something very interesting for me like uh i wasn't into the bug bounty stuff before like that was back in 2019 but this uh support news this support message i got was in january 2020. so that really inspired me towards you know security researching as well as making a good earning from it as well and then i got the email from their

platform engineering guys and they were really happy with the work i did and they did some you know shared some uh i mean this wasn't again for the financial benefit for something i should i i should put out but uh like i said uh they're very kind enough to you know um give our payout me for all of these bugs so that's a win-win situation for me at the end of day so we are done with the disclosure and now what's next so uh in all of my experiences with the security researching and disclosing security vulnerabilities to the organization i found that we at times do not think about the rights do not think about the law

uh we are following so there's a great talk by uh cole i'm i i'm sorry her name is bit difficult to pronounce but again i just put it out right there for people if they want to follow and the link down there so that's a really really interesting talk you can you know watch and get to know about your rights while doing the security researching stuff and recently i spoke to her on twitter and i asked you a couple of questions that pertain to response for disclosure and she was a she was very kind enough to you know respond back to those queries and i'm really thankful for her support in this case and the other thing

is when we are doing this security researching stuff and when we are doing the security researching we sometimes miss the part where we don't follow or when where we don't consider the privacy part so let's say i mean in the earlier example i shared i could actually get all of the details of the customers that were registered on the platform that application right so rather than doing the doing it in a worse way i created a separate account for myself logged in through that account and i obviously got the user id for myself so i was actually creating attacks or scenarios by using two different accounts that would own by me so that gives a

good example that gives a good impression in front of the person to whom you're disclosing the vulnerabilities because i guess at the end of day it's about making the internet a better place and sharing the same knowledge or the experience you got with the community out there and yeah don't throw out the on um on social media because that sometimes turns out to be a very worse uh idea uh rather uh settling the discussion in a private uh or in in a way you can you know ignore the public factor from uh from the internet and uh yeah let's say google has a policy for 90 days disclosure program 90 plus one i guess so if there's something they cannot

patch it in 90 days either they ask for an extension or then you are you know liable enough to disclose the vulnerability publicly so there's a very classic example that just happened few days back where security researchers found a really nice vulnerability in their um i guess in their email box or something i guess it was similar to that it was similar to email spoofing so google had planned it to patch in 2000 in the end of 2020 or later this year i mean later next year uh but again the security researcher requested for disclosure because that was something critical and after the disclosure google realized it that it's something critical to them and they passed it within eight hours as

like this is something very interesting like patching something within eight hours so why did they require a whole year to patch a vulnerability and then doing it in within eight hours that changes the perspective perspective and that changes the condition of the organization how they quickly work about workforce work within something that has been posted around that has been posted out in the media out on the social platforms or disclosed publicly so i i think i i took a lot of time but i'll just shut up with this that thank you everyone stay safe and have the planet more responsible thanks so much oh thanks uh man that that as always you're absolutely stand out i i think we're

gonna go to antagonistics but before you go uh we do have another question from euless to say i pay up front instead of telling you it's duplicate what is your general experience the follow-up on responsible disclosure bug bounty just what is your general experience with it all right so i mean um my general experience with vulnerability disclosure is sometimes very nice and sometimes very worse so let's say i i i did a responsible disclosure for a government application i didn't want to mention that here in my talk but that was pretty worse for me so right now as i speak i would never never ever think of disclosing the security vulnerability to a government organization where i reside

however when i was working on this application i mentioned around it took around some months for them to fix it but again let's let's be realistic about the approach while we are uh moving forward with disclosure um there are teams who work uh with two to three resources and there are teams who are working with i mean hundreds of resources so sometimes these sort of vulnerabilities are pretty difficult for the team with low resources to patch and sometimes it's pretty easy like i said in my earlier example uh like google had to had to patch that vulnerability in eight hours so they could do that before uh december 2020 or uh in 2021 later this year but

they didn't they note the fact that this vulnerability wasn't critical but once that vulnerability was published by the security researcher like that was disclosed on an agreement google find out that this was very critical but they had to get their together okay cheers um i think that answers the question really nicely and genuinely i thank you again so much b for giving up your time um presenting i know you had a late one last night shuffling your slides around i think everybody did actually but uh no a lesson man uh is always appreciated you're amazing thank you so much for that talk that was awesome