[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.
The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.
He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.
He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.
Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission”
The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.
Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.
PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.
Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.
[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”
Here’s a challenge tailored to our community if we’ve ever seen one. You know those delightful unsolicited prerecorded calls you get from time to time? They might be political, but they also come from companies trying to sell you vinyl siding, or promising improvements in your business. Well they’re against the law in many cases, and complaints to the Federal Trade Commission have been piling up. So now the FTC is offering a $50,000 bounty to anyone who can find a way to block the calls.
It’s called the Robocall Challenge and you’ve got until January 17th, 2013 to get your entry submitted. The great thing is, this doesn’t need to be a fully working solution. Your entry may be: “proposed technical solutions or functional solutions and proofs of concept “. Even better, you retain ownership of the solution even if you win. This type of recognition will surely have telco related companies beating a path to your door.
Of course if you do have a solution, we’d love to hear about it too!
[Thanks Filespace via WCPO]
If you spent your weekend outside and away from the Internet, you might have missed the massive liquidation of HP TouchPads on Amazon, woot.com, WalMart, and the HP online store. Normally a $100 fully featured tablet is nothing to scoff at, but there is a catch: The HP TouchPad runs WebOS. WebOS is a fine operating system for a tablet, but it’s not Android. The folks at HacknMod.com posted a bounty for the first person to port Android to the HP TouchPad.
HacknMod is offering up $450 for a basic Android port and is looking for sponsors for the WiFi, Audio, Camera, and MultiTouch bounties. There’s a lot of discussion about the port on the XDA Developers and the RootsWiki forums if you’d like to get a bearing on how far along the project is. The TouchPad has already been rooted so there’s your starting point.
We’d like to throw our hat into the ring, but we missed out on the TouchPad fire sale. If anyone knows of an online shop where they’re still available, leave a message in the comments.
Inspired by the successful Kinect bounty put out by Adafruit, [gallamine] of the RobotBox community has posted his own
$200 $400 bounty for the first person who can hack the scanning LIDAR from Neato Robotic’s XV-11 vacuumbot. This sensor would be particularly useful to any robotic makers out there, because even the full retail price of the vacuum is less than the cost of most standalone LIDAR units, which often run upwards of $1000. The bounty seems to be growing every day, starting out at $200, and doubling thanks to a couple of other interested parties.
Luckily, from what we hear, the sensor was never made to be hack-proof (and perhaps even secretly hack friendly?), seeing as one of the prime developers of the sensor is a member of a certain Home Brew Robotics Club. We love it when companies are nice to hackers, and we hope to see more examples of this in the future. Not sure what the XV-11 is? Be sure to check out the video after the break for info about the vacuum and its scanning LIDAR.
Continue reading “Newest Hardware Bounty, The Open Lidar Project”
We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!
Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.
[via Zero Day]
We’re putting a bounty on two high-priority Bus Pirate features. You can get a free PCB for the upcoming Bus Pirate V2 by writing a bit of code. Hack a Day has a varied and talented group of readers, and we know someone out there has the experience to make these changes with minimal difficulty.
- The latest code integrates the PIC24F bootloader for easy updates without a programmer. We’d like to add a protocol snooper, but that requires interrupts. With the bootloader, however, interrupts are relocated and we’ve yet to fully grasp how that works. We’ll send a PCB and PIC 24F to the first person who modifies the code to demonstrate UART, SPI, or change notification interrupts with the boot loader. Microchip’s 24F bootloader app note is available here. Complete.
- The current frequency measurement feature is a hack that uses a counter and a timer. Be the first to implement the input capture peripheral instead, and get a free PCB. See the function bpFreq(void) in base.c. Complete.
The latest Bus Pirate code and compiled firmware can be checked-out from Google Code SVN. Submit your code via the comments below or firstname.lastname@example.org.
UPDATE: Both issues were resolved. Thanks for your suggestions.