The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.
Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.
PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.
Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.
[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”
We’re familiar with features like Siri or Microsoft’s Cortana which grope at a familiar concept from science fiction, yet leave us doing silly things like standing in public yowling at our phones. Amazon took a new approach to the idea of an artificial steward by cutting the AI free from our peripherals and making it an independent unit that acts in the household like any other appliance. Instead of steering your starship however, it can integrate with your devices via bluetooth to aide in tasks like writing shopping lists, or simply help you remember how many quarts are in a liter. Whatever you ask for, Echo will oblige.
The device is little more than the internet and a speaker stuffed into a minimal black cylinder the size of a vase, oh- and six far-field microphones aimed in each direction which listen to every word you say… always. As you’d expect, Echo only processes what you say after you call it to attention by speaking its given name. If you happen to be too far away for the directional microphones to hear, you can alternatively seek assistance from the Echo app on another device. Not bad for the freakishly low price Amazons asking, which is $100 for Prime subscribers. Even if you’re salivating over the idea of this chatting obelisk, or intrigued enough to buy one just to check it out (and pop its little seams), they’re only available to purchase through invite at the moment… the likes of which are said to go out in a few weeks.
The notion of the internet at large acting as an invisible ever-present swiss-army-knife of knowledge for the home is admittedly pretty sweet. It pulls on our wishful heartstrings for futuristic technology. The success of Echo as a first of its kind however relies on how seamlessly (and quickly) the artificial intelligence within it performs. If it can hold up, or prove to hold up in further iterations, it’s exciting to think what larger systems the technology could be integrated with in the near future… We might have our command center consciousness sooner than we thought.
With that said, inviting a little WiFi probe into your intimate living space to listen in on everything you do will take some getting over… your thoughts?
Continue reading “Echo, the First Useful Home Computer Intelligence?”
You may be used to seeing rack mounted equipment with wires going everywhere. But there’s nothing ordinary about what’s going on here. [Elecia White] and [Dick Sillman] are posing with the backbone servers they’ve been designing to take networking into the era that surpasses IPv6. That’s right, this is the stuff of the future, a concept called Content Centric Networking.
Join me after the break for more about CCN, and also a recap of my tour of PARC. This is the legendary Palo Alto Research Company campus where a multitude of inventions (like the computer mouse, Ethernet, you know… small stuff) sprang into being.
Continue reading “Content Centric Networking and a tour of (Xerox) PARC”
Most tech savvy individuals are well aware of the vast amounts of data that social networking companies collect on us. Some take steps to avoid this data collection, others consider it a trade-off for using free tools to stay in touch with friends and family. Sometimes these ads can get a bit… creepy. Have you ever noticed an ad in the sidebar and thought to yourself, “I just searched for that…” It can be rather unsettling.
[Brian] was looking for ways to get back at his new roommate in retaliation of prank that was pulled at [Brian’s] expense. [Brian] is no novice to Internet marketing. One day, he realized that he could create a Facebook ad group with only one member. Playing off of his roommate’s natural paranoia, he decided to serve up some of the most eerily targeted Facebook ads ever seen.
Creating extremely targeted ads without giving away the prank is trickier than you might think. The ad can’t be targeted solely for one person. It needs to be targeted to something that seems like a legitimate niche market, albeit a strange one. [Brian’s] roommate happens to be a professional sword swallower (seriously). He also happens to ironically have a difficult time swallowing pills. naturally, [Brian] created an ad directed specifically towards that market.
The roommate thought this was a bit creepy, but mostly humorous. Slowly over the course of three weeks, [Brian] served more and more ads. Each one was more targeted than the last. He almost gave himself away at one point, but he managed to salvage the prank. Meanwhile, the roommate grew more and more paranoid. He started to think that perhaps Facebook was actually listening in on his phone calls. How else could they have received some of this information? As a happy coincidence, all of this happened at the same time as the [Edward Snowden] leaks. Not only was the roommate now concerned about Facebook’s snooping, but he also had the NSA to worry about.
Eventually, [Brian] turned himself in using another custom Facebook ad as the reveal. The jig was up and no permanent damage was done. You might be wondering how much it cost [Brian] for this elaborate prank? The total cost came to $1.70. Facebook has since changed their ad system so you can only target a minimum of 20 users. [Brian] provides an example of how you can get around the limitation, though. If you want to target a male friend, you can simply add 19 females to the group and then target only males within your group of 20 users. A pretty simple workaround
This prank brings up some interesting social questions. [Brian’s] roommate seemed to actually start believing that Facebook might be listening in on his personal calls for the purposes of better ad targeting. How many other people would believe the same thing? Is it really that far-fetched to think that these companies might move in this direction? If we found out they were already doing this type of snooping, would it really come as a shock to us?
Hackaday – and the projects featured on Hackaday – get a lot of flak in the comments section simply for mentioning an Arduino. The Arduino complainers are, of course, completely wrong; everyone here is trying to make something, not make something in the most obscure possible way.
The Arduino is a legitimate tool, but still there are those among us who despise anything ending in ~duino. This browser plugin is for them. It’s a Chrome extension that selectively replaces or removes Arduino content from Hackaday depending on the user’s preference.
There are three settings to the plugin: See No Evil replaces images of Arduinos with serious business. Hear No Evil removes all occurrences of the word ‘Arduino’ and replaces them with something of your choosing. Speak No Evil removes all posts in the Arduino Hacks category.The last option also removes the ability to comment on any post in the Arduino Hacks category, so obviously the quality of the comments here will drastically increase by tomorrow.
You can grab the plugin on the gits. It’s Chrome only, but if someone wants to port it to Firefox, we’ll gladly put up another post.
There you go, Internet. You’re free now, and the biggest problem in your life has now been solved. Go give [SickSad] a virtual pat on the back, or tell him he could have done the same thing with a 555. Either of those are pretty much the same thing at this point.
Early this year, Twitch Plays Pokemon, a webstream of tens of thousands of people playing the same game of Pokemon via web chat. It was certainly an interesting sociological phenomenon, but as in any system where thousands of people try to do a single thing, progress was exceedingly slow at points. This was compounded by the fact the Twitch stream delayed the chat by about 30 seconds.
At the time, there was some talk about setting up an alternative to the emulator-based Twitch stream. Ideas were floated, but until now, no one has yet come up with a workable solution. Now we have Pokáde: real Pokemon games (Red and Blue) running on real hardware (two Super Game Boys, two super Nintendos, and two Game Genies), streamed live to the Internet with an IRC-like chat function.
Simply for the ease of capturing the video of the stream, [Johannes], the guy behind all of this, is using a pair of Super Nintendos and Super Game Boys connected to USB video capture dongles. The Super Game Boys are modded to enable trading between the Red and Blue versions of the game, and controls are handled with a USB connection to the PC running the server.
Anyone can play the game, simply by going to the Pokáde Chat, entering the chat, and clicking on random buttons on the brick Game Boy GUI. The game ROMs have been slightly modified to disable the option of starting a new game, but this is still the classic Twitch Plays Pokemon experience: people all around the globe mashing buttons and creating a religion around a fossil pokemon.