Hacking PayPal Accounts With CSRF

December 4, 2014 by Rick Osgood 17 Comments

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF” →

Reverse Engineering The D-Link WPS Pin Algorithm

October 31, 2014 by Brian Benchoff 36 Comments

A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

When [Craig] was taking a look at the disassembled firmware from his router, he noticed a bit of code that accessed the NVRAM used for storing device-specific information like a serial number. This bit of code wasn’t retrieving a WPS pin, but the WAN MAC address instead. Instead of being unique to each device and opaque to every other bit of data on the router, the WPS pin was simply generated (with a bit of math) from the MAC address. This means anyone upstream of the router can easily derive the WPS pin of the router, and essentially gives everyone the keys to the castle of this router.

A few years ago, it was discovered the WPS pin was extremely insecure anyway, able to be brute-forced in a matter of minutes. There are patches router manufacturers could apply to detect these brute force attacks, closing that vulnerability. [Craig]’s code, though, demonstrates that a very large number of D-Link routers effectively broadcast their WPS PIN to the world. To make things even worse, the BSSID found in every wireless frame is also derived from the WAN MAC address. [Craig] has literally broken WPS on a huge number of D-Link routers, thanks to a single engineer that decided to generate the WPS PIN from the MAC address.

[Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

A Better Anonabox With The Beaglebone Black

October 31, 2014 by Brian Benchoff 29 Comments

A few weeks ago, Anonabox, the ill-conceived router with custom firmware that would protect you from ‘hackers’ and ‘legitimate governments’ drew the ire of tech media. It was discovered that this was simply an off-the-shelf router with an installation of OpenWrt, and the single common thread in the controversy was that, ‘anyone can build that. This guy isn’t doing anything new.’

Finally, someone who didn’t have the terrible idea of grabbing another off the shelf router and putting it up on Kickstarter is doing just that. [Adam] didn’t like the shortcomings of the Anonabox and looked at the best practices of staying anonymous online. He created a Tor dongle in response to this with a Beaglebone Black.

Instead of using wireless like the Anonabox and dozens of other projects, [Andy] is using the Beaglebone as a dongle/Ethernet adapter with all data passed to the computer through the USB port. No, it doesn’t protect your entire network; only a single device and only when it’s plugged in.

The installation process is as simple as installing all the relevent software, uninstalling all the cruft, and configuring a browser. [Adam] was able to get 7Mb/sec down and 250kb/sec up through his Tor-ified Ethernet adapter while only using 40% of the BBB’s CPU.

The Hackaday Prize: Interview With A ChipWhisperer

October 29, 2014 by Brian Benchoff 18 Comments

Every finalist for The Hackaday Prize has some aspect of it that hasn’t been done before; finding the chemical composition of everything with some 3D printed parts is novel, as is building a global network of satellite ground stations with off the shelf components. [Colin]’s ChipWhisperer, though, has some scary and interesting implications. By looking inside a microcontroller as its running, the ChipWhisperer is able to verify – or break – security on these chips. It’s also extremely interesting and somewhat magical being able to figure out what data a chip is processing simply by looking at its power consumption.

We have no idea who the winner of The Hackaday Prize is yet, and I’m hoping to remain ignorant of that fact until the party two weeks from now. Until then, you can read the short interview with [Colin O’Flynn], or check out his five-minute video for the ChipWhisperer below:

Continue reading “The Hackaday Prize: Interview With A ChipWhisperer” →

THP Semifinalist: Secure Your Internets With Web Security Everywhere

September 6, 2014 by Adam Fabio 50 Comments

[Arcadia Labs] has created a great little device in Web Security Everywhere, a semifinalist in The Hackaday Prize. At the center of it all is UnJailPi, a Raspberry Pi device which can act as a secure router between a protected network and the unprotected internet. UnJailPi can create OpenVPN and Tor connections on the fly from its touch screen interface. The full details are right up on [Arcadia’s] Hackaday.io project page.

One of the most amazing things about the project is its creator, [Arcadia Labs]. [Arcadia] started from square one learning python just 1 year ago. Since then he’s become a proficient python coder, and created UnJailPi’s entire user interface with pygame.

[Arcadia] is also working with simple hand tools. He has no access to the CNC routers, 3D printers, or milling machines used in many of the projects we see here on Hackaday. All the work on UnJailPi’s acrylic case was done with a handsaw, a file, and a heck of a lot of patience.

Currently [Arcadia’s] biggest hurdle is finding a good power supply for his project. UnJailPi is designed to work both on AC or an internal battery. His current power circuit throws off enough heat that the Raspberry Pi resets while the battery is charging.

We’re sure [Arcadia] will figure out his power issues, but if you have any suggestions, leave a comment here, or head over to the project page and let him know!

The project featured in this post is a semifinalist in The Hackaday Prize.

Arduino-Powered Alarm System Has All The Bells And Whistles

September 2, 2014 by Bryan Cockfield 24 Comments

Put aside all of the projects that use an Arduino to blink a few LEDs or drive one servo motor. [IngGaro]’s latest project uses the full range of features available in this versatile microcontroller and has turned an Arduino Mega into a fully-functional home alarm system.

The alarm can read RFID cards for activation and control of the device. It communicates with the front panel via an I2C bus, and it can control the opening and closing of windows or blinds. There is also an integrated GSM antenna for communicating any emergencies over the cell network. The device also keeps track of temperature and humidity.

The entire system can be controlled via a web interface. The Arduino serves a web page that allows the user full control over the alarm. With all of that, it’s hard to think of any more functionality to get out of this tiny microcontroller, unless you wanted to add a frickin’ laser to REALLY trip up the burglars!

Stupid Security In A Security System

August 28, 2014 by Brian Benchoff 66 Comments

alarm

[Yaehob]’s parents have a security system in their house, and when they wanted to make a few changes to their alarm rules – not arming the bathroom at night – an installer would come out, plug a box into the main panel, press a few buttons, and charge 150 €. Horrified at the aspect of spending that much money to flip a few bits, [yaehob] set out to get around the homeowner lockout on the alarm system, and found security where he wasn’t expecting.

Opening the main panel for the alarm system, [yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box, easily silenced by entering a code on the keypad. The alarm, however, would not arm anymore, making the task of getting ‘installer-level’ access on the alarm system a top priority.

After finding a DE-9 serial port on the main board, [yaehob] went to the manufacturer’s website thinking he could download some software. The website does have the software available, but only for authorized distributors, installers, and resellers. You can register as one, though, and no, there is no verification the person filling out a web form is actually a distributor, installer, or reseller. dist

Looking at the installer and accompanying documentation, [yaehob] could see everything, but could not modify anything. To do that would require the installer password, which, according to the documentation was between four and six characters. The system also responded quickly, so brute force was obviously the answer here.

After writing up a quick script to go through all the possible passwords, [yaehob] started plugging numbers into the controller board. Coming back a bit later, he noticed something familiar about what was returned when the system finally let him in. A quick peek at where his brute force app confirmed his suspicions; the installer’s code was his postal code.

From the installer’s point of view, this somewhat makes sense. Any tech driving out to punch a few numbers into a computer and charge $200 will always know the postal code of where he’s driving to. From a security standpoint, holy crap this is bad.

Now that [yaehob]’s parents are out from under the thumb of the alarm installer, he’s also tacked on a little bit of security of his own; the installer’s code won’t work anymore. It’s now changed to the house number.