« prev   random   next »

1
1

“Yelp, but for MAGA” turns red over security disclosure, threatens researcher

By Kakistocracy following x   2019 Mar 13, 12:58am 91 views   1 comments   watch   nsfw   quote     share    


63Red Safe app—a "Green Book" for conservatives—left APIs exposed.

A new application from the "conservative news" site 63red, called 63Red Safe, is advertised as a sort of "Green Book" for the MAGA set. It lets users rate local businesses "from a conservative perspective," according to the app's Google Play listing, "helping insure[sic] you're safe when you shop and eat!" And in this case, "safe" means freedom to wear "Make America Great Again" clothing without having to bear verbal challenge.

The app rates the safety of a business based on user's input on four factors:

—Does this business serve persons of every political belief?

—Will this business protect its customers if they are attacked for political reasons?

—Does this business allow legal concealed carry under this state's laws?

—Does this business avoid politics in its ads and social media postings?

But the safe space for 63red founder Scott Wallace was violated quickly when French security researcher Elliot Alderson discovered some fundamental security flaws in Safe's architecture—making it not so safe.

Because the application is build in React Native, a JavaScript- and JSX-based scripting language that basically turns Web apps into "native" Apple iOS and Android applications, the entire architecture of the application is available to anyone who downloads and unpacks it. And in that code, Alderson discovered a few things:

•Wallace had left his username, email, and a plaintext password in the code—twice.

•There is no authentication for any of the application programming interface calls, so someone could spoof any user—essentially giving them administrative access to the API.

•All of the APIs are clearly defined as URLs in the source code.

•By using the "Get user by ID" API call, someone could retrieve the user name, email, ban status, and other details on each user account. Passwords were not in this data, but the entire user database could be retrieved by iterating through all the possible first letters or digits of an account ID.

•Any user could be blocked using an HTTP Post to the "block" API.

Alderson shared these details in a Twitter thread:

Wallace's response was not magnanimous: "No lost passwords, no breach of database, no data changed, minor problem fixed. We're angry by the attempt, FBI notified," Wallace posted to Twitter, along with a link to a Medium post in which he stated:

We see this person's illegal and failed attempts to access our database servers as a politically motivated attack, and will be reporting it to the FBI later today. We hope that, just as in the case of many other politically motivated Internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.

Alderson said he never attempted to change any data. "I did not hack your app, I read the available source code, and I used your unauthenticated APIs. It's equivalent to use [sic] your app," he responded to Wallace. "By threatening me, a security researcher, you are threatening the whole infosec community. I'm a professional and I'm not hiding. I'm staying at your disposal if needed. Btw, how did you fix the issue without updating your app?"

Elliot Alderson @fs0c131y · Mar 11, 2019

Hello conservative friends,

Last time we discussed, I got access to the @DonaldDaters database in less than 5 minutes. Follow me in this thread and I will show you how I got access to the @63red database and obtained all the details of their users even quicker

⬇️⬇️⬇️

Elliot Alderson @fs0c131y

This app uses a language called @reactnative. Get the original source of the app is super easy. Because he is nice, the developer of the hardcoded his credentials in the source code... twice... pic.twitter.com/DWwAvagSs5

310 8:15 PM - Mar 11, 2019

Twitter Ads info and privacy - View image on Twitter

75 people are talking about this

Wallace's response was not magnanimous: "No lost passwords, no breach of database, no data changed, minor problem fixed. We're angry by the attempt, FBI notified," Wallace posted to Twitter, along with a link to a Medium post in which he stated:

We see this person's illegal and failed attempts to access our database servers as a politically motivated attack, and will be reporting it to the FBI later today. We hope that, just as in the case of many other politically motivated Internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.

Alderson said he never attempted to change any data. "I did not hack your app, I read the available source code, and I used your unauthenticated APIs. It's equivalent to use [sic] your app," he responded to Wallace.

"By threatening me, a security researcher, you are threatening the whole infosec community. I'm a professional and I'm not hiding. I'm staying at your disposal if needed.

Btw, how did you fix the issue without updating your app?"

https://arstechnica.com/information-technology/2019/03/yelp-but-for-maga-turns-red-over-security-disclosure-threatens-researcher/

#Apps #63RedSafe #IT

1   Kakistocracy   ignore (6)   2019 Mar 13, 1:05am   ↑ like (0)   ↓ dislike (0)   quote   flag        

'Yelp for conservatives' MAGA app leaks users data - 63red Safe app left its backend API exposed online without authentication.

The app describes itself as a service where users can read or write "reviews of local restaurant and businesses from a conservative perspective, helping insure[sic] you're safe when you shop and eat!"

In media interviews, Scott Wallace, the app's creator said he built the app after a series of incidents where conservatives were forced to leave or take MAGA gear off to eat at restaurants or enter various businesses across the US.

But according to Baptiste Robert, a French security researcher who goes online under the pseudonym of Elliot Anderson (the name of the main character from the Mr. Robot TV show about hackers), the 63red Safe app is leaking almost all of its data.

Robert says the app's source code contains the credentials of its author, but also a list of API endpoints to which it connects to store or retrieve data.

This backend API doesn't use any form of authentication, Robert said. This means that anyone can look at the app's source code, get the API endpoints, and then extract data from the app's server with no challenge or restriction.

https://www.zdnet.com/article/yelp-for-conservatives-maga-app-leaks-users-data/

Great security work from a follower/supporter of the "Stable Genius"


about   best comments   contact   one year ago   suggestions