Ah, the irony: As the security community gears up for Black Hat USA 2016, a flaw in the official conference app enables attackers to become anyone or spy on attendees.
Conference attendees can install the app on their mobile devices to browse the conference’s agenda, get exhibitor info, message attendees, schedule events they will attend and participate in a conference-wide Twitter-like activity feed. According to Lookout Security, a flaw opens the door to attendee impersonation—so users should be cautious of any activity or messages that are posted or received within the app.
“While investigating both the iOS and Android versions of the Black Hat USA 2016 app, we discovered that a user could register using any email address they want (as long as it hasn’t already been used to register with the app previously),” explained Lookout researcher Andrew Blaich, in a blog. “This includes any email address, whether or not the person signing up owns the email address. It doesn’t even matter if the email address exists at all.” Further, to log in, the Black Hat app does not require confirmation; the user is immediately logged into the app after typing in any email address.
So, after guessing a registrant’s email address—not hard, considering that corporate email addresses tend to follow a set pattern—an attacker can log in as that person, post messages, and comment on other people’s posts in the app’s Activity Feed that all conference app users can see.
“For example, this means a person can pretend to be from one company, but recommend another company's product, services or conference event,” Blaich said.
But the concerns don’t stop there. Lookout also discovered that if a password reset is issued for an account, any existing devices still logged in under that account will continue to retain access. This means that the real owner of an email address can use the social, scheduling and other features of the app, but so can the attacker—without the real user knowing their account is being spied on.
“An attacker with foresight can register (before the real user does) any name and email address for the attendee they want to track in the app,” Blaich explained. “After doing this, an attacker can have permanent access to the account with that email address, even in cases where the real user resets the account’s password. This is possible because the authentication token does not appear to expire when the account’s password is reset. The attacker has permanent access to the account and can spy on the user and post comments impersonating the victim.”
There’s also a physical security risk: An attacker can spy on a targeted user and determine what their conference schedule will be.
“This vulnerability is a timing-attack, in which the first to register an account wins. You just hope that the first to register is you and not someone pretending to be you,” Blaich said.
Lookout said that it followed responsible disclosure with the creators of the app, UBM and DoubleDutch which said they will close these vulnerabilities prior to the Black Hat USA conference starting.
Photo © leolintang