BSides Berlin 2021: Michal Ogorzalek - How secure are webinar platforms?

hi everybody my name is mihawk zavek i work in securing as an i.t security consultant where i mainly perform security tests of web applications and last year i had an opportunity to hack webinar platforms just for you to know webinar platforms are slightly different from standard web conference platforms in webinar platforms typically the presenter speaks to the attendees and webinar attendees do not interact with one another the popularity of of webinar platforms was already rising before the current pandemic it is hard to give you accurate statistics now but in 2020 the number of webinars grew through 162 percent okay so i was hacking webinar platforms but not because i'm bad and i like breaking things

so let me share my screen and start with our story

okay everybody realized that the pandemic has changed the world most of our communication with the client presentations and training had to be transferred to the remote world so our company started looking for a suitable platform which would enable us to provide knowledge to our clients and one of our colleagues prepared for us webinar using third-party platform to test its possibilities he was the host and the presenter we are we were attendees he was talking sharing his screen showing us the whiteboard and after five minutes of the webinar strange things started to happen firstly somebody wrote a decent word on on the whiteboard then my colleague who was the host and the presenter was kicked out of the

meeting and instead of him another of my colleague became a host i've already knew what had happened we are pentesters we are hackers for hire and during the webinar my colleagues started hacking the webinar and one of them managed to find and exploit vulnerabilities in just in just a few minutes since the platform was not secure in eras we decided to find another one however the problem happened again the second platform also had crucial vulnerabilities and those company owners asked me and my colleague jakub korepta to press the hug button and verify the security of other platforms to get a view of how safe available solutions are before we began we had defined assumptions of our research

we've selected the most popular webinar platforms based on on the majestic medium and spent about an hour per platform we are hacking real applications right so to not break the law we are testing from only one account on a platform and only data related to the test account was accessed a lot of things can go wrong in the context of webinar security however our main goal was to gain the host or presented privileges as an anonymous attacker or or an attendee of a meeting before i start let me explain you how webinar webinar platforms work generally webinar platforms are web applications and they use http protocol for communication between between client and server a browser sends an http request to the

server and gets an http response based on this response a user interface of the application in a browser is created but it is not enough when operations are to be performed in real time to keep every participant uh every webinar participant uh up to date with the meeting data the the messages being sent the user being kicked out etc another protocol is used namely web socket for you to remember is that that the websocket protocol is bi-directional and while using it we create the connection between client a client browser and a server and messages can be sent in both directions for example if a host send a message or mute a participant websocket protocol is

used to inform all participants about the change during our test we encountered a whole range of vulnerabilities but we focused mainly on three aspects privilege escalation either by role modification or access control and sensitive information in the browser sensitive data of attendees or private conversations etc

okay let's start hacking how hard is to become a host i see this button i click this button and i join a webinar then i intercept messages between my browser and the application server analyzing messages i see that there is a very interesting parameter in the communication the role what do you think what i can do with this parameter i can change the value of the parameter to host or to present there okay we can do this then we need to wait a few seconds till resources are loaded and i'm a host

that's all that's all the user interface is generated for the host i can perform i can perform all operations share my screen and even kick out former host out of the meeting generally i am the owner of the meeting all i had to do was was modify the value of one parameter related to the role of a user easy we've tested 14 platforms overall and in two of them it was possible to become a host of a webinar in such a trivial way but what what about the rest

even if the application does not allow user to modify their roles it still can have access control issues as we can see some of functions are available only for administrators or hosts or presenters for example making another user a presenter as an attendee i cannot use this function however by using websocket connection that i have between my browser and the server i can send this prepared websocket message message and add new presenter okay i sent this message and now i am a presenter okay so i added myself as a presenter and what now i can send another websocket message and execute other function to kick through host out of the webinar okay i sent this message

and voila the host is kicked out of the meeting i couldn't modify the role just like before however result is exactly the same the host is kicked out of the meeting and i have full control over the webinar all i did was send two web websocket messages that's all and it all results from a complete lack of access control server hasn't verified the privileges and i was able to execute administration functions during our test we've noticed a very interesting thing in most cases access control in http communication was done properly however not in web socket messages if we found some application vulnerable the problem was global there was no access control in any function that use websocket

not counting the application that we've hacked by role modification three other three other applications had access control issues which allowed us to escalate privileges

third common vulnerability that we found was sensitive information in the browser for example a webinar administrator or host has access to personal data of identities like like email like full name like date of birth almost everything that was supplied during a registration attendees can see only nicknames however the data is sent to the browser of every attendee the client site application decides whether the data like like for example a full name email that date of birth should be displayed or not so if attendees analyze the traffic that comes to their browser they will access this data similar when sending private messaging during the webinar user 2 is not able to see see in the browser messages that are

sent to user one however the message is sent to every single attendee and once again client side a client site is decided if the data should be displayed or no so so by analyzing the traffic that comes to uh to the browsers users i am able to read private messages guess how many platforms had vulnerabilities related to sensitive information exposure half of them we also found other vulnerabilities which allowed for for example spoofing messages or bypassing client-side validation a lot a lot things other things can go wrong in context of the webinar security but we cannot we cannot cover it all during our short presentation so let's let's sum up our findings tested 14 platforms overall and in five of them

we were able to escalate our privileges half of tested platforms had vulnerabilities related related to a sensitive exposure

the next step was to convey details of vulnerabilities to to appropriate people responsible for security of these solutions as it turned out it was harder than finding bugs since there was no security dedicated contact on any web website our first shot was technical support obviously details of details of vulnerabilities could not be passed to a random person right so we pushed for giving as a contact to a person responsible for the security it looked like that so we would like to inform that there is a serious vulnerability in the application an attendee can become a host without privileges could you give us a contact to person responsible for security and they respond with something like

this is the security issue we are able to bypass your security mechanism maybe in other words this is dangerous for user of your application could you give us a contact to security

there is no contact information here maybe you can escalate the problem and contact me with some technical people

don't try to talk with support about technical stuff it's completely useless sometimes we weren't getting any response and when we got it was the same story over and over again non-technical people were not able to understand the problem and there was no process to handle the vulnerability reporting because of of that we started looking for a person responsible for the security or at least a competitive person in linkedin it was definitely a better solution and in the end we we've managed to report vulnerabilities to four companies two of them have fixed vulnerabilities in a week a third one fix them partially in a month the last one has not fixed vulnerability yet okay that's it

i hope that our research showed that sometimes it is enough for security specialists like me or like jakub to spend an hour to find critical vulnerabilities and i would like you to remember that similarly to to other sas application webinar platforms also have vulnerabilities security tests should involve all applications including those provided by external vendors and vulnerabilities happen in applications from my point of view very important is how these vulnerabilities are handled if they are handled how much a company cares about security the problems that i talked about today are not limited just to webinar platforms they concern also many other web applications for example a chat for example help desk or or online trading

generally all web applications which use websocket for instant a two-way communication with the browser most vulnerabilities that we found were caused by lack of access control and like i said earlier during our tests many applications had access controls control implemented properly for http communication but not for web sockets so if you have similar application remember to implement access control also for web sockets do not send excessive data to users if users are privileged to see only names send them only names verify server side if a user has privileges to access data or to perform an operation do not rely on client-side validation it can be easily bypassed for perform tests and to thread modeling to detect vulnerabilities in your

applications and train your developers to prevent vulnerabilities if they understand them and know how to write secure code it is less likely that they will create code with vulnerabilities okay that's it i hope that you enjoyed our story if you have any questions feel free to contact me and remember if something is popular and publicly available it is not necessarily well tested and secure thank you very much