Breaking the Giants with Logic

okay so hello everybody and welcome to uh this year in beside Charlotte I'm Ali khabil and today we will be presenting the presentation title breaking the giant switch logic this is actually the second one in the series so we have the first part last year and we are having the second part right here today so let's kick off with some who am I um so I'm a security engineer at bending spoons but just a disclaimer this talk is not sponsored by my employer in any way it's just me uh I have been a Bug Hunter and a security researcher since 2014 and we will know what's really about countries in case you are curious about it um I my research interest basically evolve around privacy web application security as well as network security and I'm particularly passionate about exploiting vulnerabilities bare-handed and we will know exactly today what bare-handed exploitation mean um as a hobby I like giving talks in several besides presentation uh besides security conferences um and this is my last year here luckily so I'm really glad to use you all uh in case you want to find me on social media so feel free to reach out uh logic breaker on Twitter and um so enough with who am I and let's kick into uh some motivation of today's topic so before we start we you might have noticed that we talk about breaking the joints with logic so let's break down the title into two pieces so the first piece which is breaking the joints and by the joints we mean gigantic companies basically the big player the one that have massive amount of data centers and data stored examples are Facebook Instagram Google Snapchat and so on uh so we want to break those we want to break something as big as that using logic and now let's talk a bit about what logic is and I must apologize to anybody who have ever been into a formal logic class this is not what you are expecting we are talking about informal logic something that's really simple so informally logic is what people think is right what people think makes sense so if I told you that um in the middle of the summer uh it's gonna be freezing and it's currently snowing for example you are telling me this is nonsense it's not logical why because it is not what we know it's not what um The Common Sense agrees on so logic had been there for years and it's actually since eternity that it's the core of mathematics physics and computer science people reading about things this is what logic basically is and let's just take a look away from security at a very simple logical bug so let's see this function defined in Python it's obviously an addition function so you just take two arguments X and Y and it should return their multiplication sorry their addition um and as you can see here uh what's basically returning in their multiplication so if I printed add one two uh basically I'm expecting three but this is not what's happening so when the code run the code will definitely run does it have any syntactical error that would be code during compound during uh interpretation time nothing at all the code will run perfectly but it's not the result that you are expecting it's not a logical result the addition of one and two is three and not two so this is basically a very simple logical bug the program runs but it's not doing what's expected to do of course this is very simple it has almost no security impact but it is just to demonstrate the idea of pathological bug can be so um let's take a sideway a little bit and talk about the life of a bug Hunter so for those of you who don't know bug hunting is basically finding um security vulnerabilities in companies and Reporting it to them under what we call responsible disclosure policy um you basically find the vulnerabilities and if the company accepts you to report those you just go and report them if the company does not have this policy you are not authorized to do so so don't go along just attacking people this doesn't work that way it just be under a policy in that case so there is really a bad struggle in bug hunting that you may find a security vulnerability in one website and then go and think that this is a really good vulnerability and in fact it is but when you go to them and they told you okay this is a duplicate and by duplicate we simply mean this bug has been reported before we are sorry we're not paying you anything and now all the work that you have done uh is done for nothing basically so now as you can see this mean duplicates are really bad you find really something uh very effective but instead of it paying off you just end up in pain in that case so a good question that I asked myself because I've been at my counter for many years like why do duplicates happen so basically duplicates happen because people overly rely on code vulnerabilities they always rely on things related to remote code execution related to cross-site scripting vulnerabilities in the code itself they don't really go into the application logic we don't understand the business model of the website usually because this takes a lot of time and people just want like what we call Hot cache so they just report vulnerabilities right away without trying to understand the business model or the goal of the business in that case or the website uh as we are talking about so um I thought about how to get out of this duplicate Zone and I found actually two interesting answers the first one is that you should be like extremely experienced in coding and you can find things that are what we call D-Day vulnerabilities they are really very hard to do and you actually need more years of experience just to build this amount of technical knowledge that enable you to report those kind of vulnerabilities but there is a much easier way which is just where your thinking hat think about the business model think about what's logical and what's not logical so let me give you an example of something that is a logical vulnerability just for you to understand how this can slip so imagine that you are on an e-commerce website something like Amazon for example and then you are buying your goods and all of a sudden you are buying something for 100 for example and then while checking out you find out that you can manipulate the price to like one dollar and all of a sudden you got your items instead of one hundred dollars with one dollar this happened because basically there is no check on that so of course this won't happen in Amazon but it may happen in other side that they don't check if you manipulated the price so you can get your thing at a very discounted price because this kind of check is not working um think about providing a negative number for example so you just manipulating the request going to the server edit a negative number and now instead of just getting the goods uh for its real price the negative price may be for example map to zero or to any other unknown or uncatched behavior and you end up getting those items for free so this is an example for logical vulnerability and as you can see you just need to think like a bad guy to do it it doesn't need deep knowledge of coding it doesn't need deep knowledge of security just think like a bad guy understand the business model and attack it it's hard for an e-commerce website the worst nightmare that they can have is people buying goods for free if you do that the business model will collapse and eventually you will win so um let's go along and just dive into a very short theoretical introduction to business logic so we will borrow some definitions from our friend that OAS and Port zweger um in case if you don't know them I would greatly encourage you to go and reach out to them because they are like the core Foundation security especially in web Security in that case so they Define logic and vulnerabilities or what we call business logic vulnerabilities as those vulnerabilities affecting the business model and the unique thing about business logic vulnerability is that they exist in the business model itself in the process it's not about the code it's not about finding vulnerability that will make the code go crazy it's about finding this unhandled apks think that the developer might have overlooked for example providing a negative amount of money um that would simply allow you to buy things for free um or for example finding a way to double your points whenever you are buying from something so let me give you an example uh loyalty programs exist and they are very abundant and now think about going to a shop and then buying things for 100 so you'll get 100 points so if you can find a way to turn those 100 points to like 1000 points and then use those 1000 points to pay other Goods since you are a very loyal customer in that case this is a logical vulnerability because for example the shop would say for every 100 we are giving you back five dollars as points but if you can get 50 or 500 this means that you might be taking Goods at a very used price or even coding the shop to give you money back by having more points than what you have actually paid for so this is one example of business logical vulnerabilities it again it attacks the core of the business in that case so let's go away from Theory and let's take a very simple case study uh regarding one of the things that have really a lot of logical vulnerability in it so invitation systems and basically um I usually refer to email based invitation systems so email-based invitation systems are extremely simple uh let's take the case of for example having Facebook groups and in Facebook groups um you just have this kind of nice invitation somebody's inviting you to join their group and this invitation link is present on um it's sent to you on your email uh by a group member or a group admin and we want to think together what can go wrong what exactly can go wrong with this invitation so you see this kind of invitation it's https so I know somebody would say maybe it's unencrypted no it's really well encrypted and they have taken this kind of precautionary thing to make sure that the connection is very well protected but like really a lot of things can go wrong Beyond this point so let's have a look for example you can find here a parameter called group ID in that case this group ID seems pretty interesting to me you have group ID one two three what if you change it to one to four maybe you are able to join groups that you were never invited for this is one interesting thing so if there is no check on the group ID and the request just go through you might be able to Simply join another group without being invited to it and then the read the sender ID imagine that groups would display who actually um invited you to this group similar to some application which displays this Clubhouse used to do that for example so imagine that I I can simply make somebody so famous like Marcus Zuckerberg for example invite me to a group and then everybody will see that this guy invited me to this to this group so I would take a lot of credibility because I know Mark Zuckerberg and it's actually Facebook saying that I know that guy because they say he invited me to this group so if simply I changed the sender ID and it works congratulations now I got a lot of credibility that I don't really deserve or it's what's really true in that case another thing in the member type so and you see member type one as computer scientists we know things usually start from there so the first thing I would think of maybe number type one is a Norman member and zero is maybe an admin for example so I would try to manipulate this one and instead of joining the group um at the mere remember why not join as an admin in that case so I will change the one to zero and then see maybe um it will just cause me to join an admin in that case um other things might be this kind of token so this token for example maybe this token is there to check that the invitation is valid but what if I remove the token altogether what will happen when the invitation still work in this token really uh poorly formulated so it is just for example my email so I can just change this email and everything will work so this is another point so this token is pretty important for example uh if it's really short can I boot force it all of this just exists in a single innocently looking uh URL but all of these are visible and now let's put our thinking hat on and think beyond what we see so let me think about that this invitation is intended to a single person so a single person should be able to use this invitation to join a group but what if you can share it with your friends so let's assume that this group only admins are allowed to send invitations so whenever you want to join the group an admin should invite you to this group but now you have known that this link can allow you to let your friends join the group so our now you are escalating your privileges to more or less an admin privilege by sharing this link with your friends they are all in the group and instead of just having this single person you are inviting Your Role friends and family to join this group this is a logical thing why because the developer just didn't check that whenever the link is used just go expired so this is one example of things beyond what we see another thing is what will happen if you were removed from your group so imagine that you're a troublemaker you join using this invitation link the admin know that you are going doing bad stuff and just remove you from your group and then all of a sudden you just click the link and hooray you just join back the group that you just left because the link never expire this means that the admin can never remove you from the group and you are maintaining persistent access maybe to a work group for example so you are accessing confidential information maybe is a problem and this is again something beyond what we see just put your thinking hat on and the possibilities are Limitless um so enough with this example because you might think that it's a theoretical one but let's see something practical in a really known uh application so today we'll be having two very interesting case studies the first one um I called how to create friendships that left Forever on Facebook and the other one is how to become an invisible stalker on Instagram and they would assure you that they are pretty interesting and can be exploited by really somebody with no technical knowledge at all which is pretty interesting to me so let's go to the Facebook case so back in the days when Facebook was really um less famous than now Facebook would tell you okay you are on Facebook why don't you just invite your friends so just enter their email address and we will tell them okay Ali wants to invite you to join his Facebook account please go and join his Facebook account and so on of course this feature is no longer available because Facebook now is like a billion user company so they don't do that anymore but back in the days this happened and the flow was exposed you just send your friend an email and when they joined Facebook Facebook automatically adds you as their friend because they assume that you are inviting your friends so instead of having the hassle of inviting somebody and then sending their friend request Facebook said okay let's combine those together you invite somebody to Facebook and they automatically become your friend up till now there is nothing that with that so what happened that you invite somebody to Facebook they join and they are added as your friend now what now simply you had a fight with them you are no longer friends um and you decided to remove them from your Facebook so you just go along and remove the person from your Facebook and this should be it but this friend is a bit smart and he thought okay when I joined Facebook the first time Ali was as my friend now I want to force Ali back to be my friend for whichever reason one very interesting reason is that I want to see his friends only post for example so what can I do it's pretty simple just go back to this link invite that was sent to your email re-click it again and you are just re-accepting it and this really happened so this is not a hypothetical scenario this vulnerability existed in Facebook in real so you just go accept the invite again and that will be added to your account and I can do nothing about it and you can do that presumably any number of times like even if I block you you can still return me as friend which is super weird yeah this was what really happened so what why did this happen in the first place because the invitation that Facebook sent has no expiry date it has no expiry limit so it can be used once twice and Thrice I'll tell you something even more interesting you can use the same invite for multiple people so it's not just that I will re-add this person will invite me once again I can just distribute the invite and whoever gets the link is Alice Friend by force Ali can do nothing about it they can just remove them and what happened is I will just click the link again so it's like a permanent friendship that will live forever in that case um so that's it about Facebook uh invitations and now we'll be moving into another interesting case study uh by Instagram so let's think before digging into the details of Instagram and think about the dream of a stalker like of course I'm not encouraging you to be a stalker this is not really nice but let's think hypothetically about what a stalker would like to have they would like to have a permanent access to the person they are stalking basically so they they want to be having some kind of permanent access to the account um the all the posts they have access to there is no friends only posts that are hidden they have like full access to everything uh the other thing that would like to be is not being detected this is like the nightmare of every stalker if you are detected you are dead so everybody would like to remain hidden and silent and that's what stock really wants and then Happy stopping if you have those two conditions you are actually in like the paradise of stalking in that case so let's um let me tell you how this happened back in the days on Instagram so Facebook has just acquired Instagram this was in 2015. and then Instagram had um and still have actually those features of blocking and following people so whenever you want to be friends with people you just follow them whenever you want to actually say I don't want to see you again in my life you just block people but those things were not freely connected in a logical way how is that so if we think in a logical manner it shouldn't be the case that you are able to follow somebody and block them simultaneously you either want to be their friends or don't want to see them again in your life doing both is really not hard but Instagram all the developers didn't really catch this case so what you could do basically is block somebody and then simultaneously follow them so here is what happened will you block somebody Instagram would prevent them from seeing you from seeing your profile from seeing anything related to you we can't see your post they can search you nothing at all which is the perfect blocking mechanism I don't want somebody that I locked reach out to me in anyway perfect and then what happens when you follow somebody when you follow somebody basically you can see their posts um you can like verbose you can comment on their posts and what happened in the vector pose so you block somebody they can't see you they can't know that you are in their follow list because you follow them after blocking them so you're in the follow list but you are not seen they can see your comments or likes so you can comment to their images but they can see it all their friends can but they can't so even if they know that you are there somehow and there is no way actually to know that you are there