Tearing Apart an Android Password Manager

With all of the various web applications we use nowadays, it can be daunting to remember all of those passwords. Many people turn to password management software to help with this. Rather than remembering 20 passwords, you can store them all in a (presumably) secure database that’s protected by a single strong password. It’s a good idea in theory, but only if the software is actually secure. [Matteo] was recently poking around an Android password management software and made some disturbing discoveries.

The app claimed to be using DES encryption, but [Matteo] wanted to put this claim to the test. He first decompiled the app to get a look at the code. The developer used some kind of code obfuscation software but it really didn’t help very much. [Matteo] first located the password decryption routine.

He first noticed that the software was using DES in ECB mode, which has known issues and really shouldn’t be used for this type of thing. Second, the software simply uses an eight digit PIN as the encryption key. This only gives up to 100 million possible combinations. It may sound like a lot, but to a computer that’s nothing. The third problem was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.

As if that wasn’t bad enough, it actually gets worse. [Matteo] found a function that actually stores the PIN in a plain text file upon generation. When it comes time to decrypt a password, the application will check the PIN you enter with the one stored in the plain-text file. So really, you don’t have to crack the encryption at all. You can simply open the file and reveal the PIN.

[Matteo] doesn’t name the specific app he was testing, but he did say in the Reddit thread that the developer was supposedly pushing out a patch to fix these issues. Regardless, it goes to show that before choosing a password manager you should really do some research and make sure the developer can be trusted, lest your secrets fall into the wrongs hands.

[via Reddit]

Hacking PayPal Accounts With CSRF

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”

Ask Hackaday: Hacking lingo fails


Ah, CSI. What other television show could present digital forensics with such two-bit dialogue?

It’s time once again to put on your hacker hats – a red fedora, we guess – and tell us the worst hacker dialogue you’ve seen in movies or TV. We’ve seen a ton of shows and movies where writers and directors spend zero time doing any sort of research in whatever technology they’d like to show off in the story they’re trying to convey. Usually this results in lines like, “I’ll create a GUI interface using Visual Basic. See if I can track an IP address.” It’s technobabble at its best, and horribly misinformed at its worst.

We’re wondering what you, the readers of Hackaday, think are the worst examples of hacker lingo fails. Anything from, ‘Enhance!’ to the frightening real-life quote, “the Internet is not a big truck. It’s a series of tubes.”

We’ll compile your suggestions in a later post, but I’m betting something from Star Trek: Voyager will make the #1 technobabble/hacking lingo fails. There’s just too much in that show that isn’t internally consistent and doesn’t pay any heed to the laws of (fictional) physics. Warp 10, I’m looking at you. Of course there was the wonderful Habbo reference in last week’s Doctor Who, but I’m betting that was intentional as [Moffat] seems pretty up to speed on the tropes and memes of the Interwebs.

About a month ago, we asked you for your take on the worst hacking scenes ever shown on TV or film. The results made for good viewing, albeit with a surprising absence of Lawnmower Man. Now we want some dialogue to go with these horrendous hacking scenes. So, what say you, Hackaday? What are the worst hacking lingo fails you’ve seen or heard? Please be specific about what movie/TV show you’re referencing. Last time some good stuff probably slipped by because people just said a few words without context assuming we’d know exactly what they were referring to.

Ask Hackaday: What movies have the best/worst hacking scenes


It’s time to do your best impression of [Comic Book Guy] as you make your case for trash or triumph in big screen hacking scenes. We watch a lot of movies, and it’s hard not to groan when the filmmakers cut corners by doing zero research into what using a computer actually looks like. But then once in a great while you have a team that does its due diligence and puts up a scene that makes sense to those of us in the know. So we’re wondering, what movies do you think have the best hacking scenes, and which ones are the worst offenders? Leave your opinion on the topic in the comments section.

We realize that you can come up with tons of poorly done ones, what we would really like to hear about is who did it right. We’ll get you started with a couple of examples. The image on the upper left is a scene from Tron: Legacy which we think did a fantastic job of portraying actual computer usage. You can read more about the huge amount of work that went into it in this article (via Reddit).

In the lower right is one of the most shady movies scenes that comes to mind. [Hugh Jackman] is compelled to do some ‘hacking’ by [John Travolta] in the movie Swordfish. The caption at the top of the screen is “COMPILER”, and who the heck knows what the rest of that is supposed to be?

On the hardware hacking side, it gets a little more difficult, we would LOVE some examples of hardware hacks or mods done right.

Announcing: International Hack Day, August 11th.

There is no single and definitive definition of what hacking is. We all have different versions of similar ideas in our head, but depending on your background and area of enthusiasm, hacking means something different. While dictionary.com has many definitions of the word itself, none seem to cover what we see on a daily basis.

We set out to define “hacking” ourselves. We tossed around words like “modify”, “kludge”, “explore”, and “create”. Each time we committed an increasingly vague definition onto the page, we decided it was too narrow and tossed it in the proverbial trash. The variations were just too many.

What we do know is that “hacking” seems to breed advancement and innovation. Much like mutations in an evolutionary chain, each hack pushes the topic in a slightly new direction, inspiring others and thereby perpretuating the evolutary event. In a very short time we’ve witnessed hacking bring forth the evolution of wagons to cars, kites to airplanes, and the creation of the computer.

We at Hackaday would like to declaire August 11th to be “International Hack Day”. A day to celebrate hacking in all of its diverse forms. From soldering to sewing, coding to carbonating, knitting to knurling, we want you to keep on hacking. Take August 11th as a day to show pride in your hacking. Waive your hacker flag high and educate those around you.

We have asked many of our friends to contribute their personal definition of hacking. Here they are, in the order they were received.

Continue reading “Announcing: International Hack Day, August 11th.”

Book Review: The Dangers of Computer Hacking

Years and years ago, someone gave me this book as a gift. [John Knittel], a co-author thought I might find it amusing. The book, titled The Dangers of Computer Hacking, is a grade school level breakdown of, well, computer hacking and the dangers thereof. At the time, I thought it was rather fun and amusing. Since then, it has sat on my shelf without much action.

Last weekend, however, my 8 year old son was building perfectly spaced shapes for his slinky (new plastic slinkies suck) and found this book. I snatched it up and read through it real quick. The realization came to me that though this is somewhat tongue-in-cheek(check the topics on the back cover), this book is actually a fantastic reference for the un-initiated.

Continue reading “Book Review: The Dangers of Computer Hacking”

Tales from the Hackaday “tip line”

surprisingly accurate portrayal of Caleb

Lets just start right off and acknowledge that the word “Hack” is in our site name. We all see it. It is right there, in plain English. However, anyone who spends more than a few nanoseconds looking down below that big name, will quickly see that the kind of hacking we do is more like McGyver and less like Operation Swordfish.

This exceedingly obvious point is missed by many, many people. We get tons of requests coming in for various acts of hackery. They range from nonsense gibberish to flagrant lies. Yeah, sure you forgot your password and the recovery system isn’t working. Oh they stole your website but you can’t prove that you’re the owner? Hrm, you want to be a master hacker and are seeking our guidance on how to steal money?

Join me after the break for a few actual examples.

Continue reading “Tales from the Hackaday “tip line””