Black Hat conference updates app to address privacy and social engineering concerns
Update: 2016-07-29 11:00am PT
Black Hat confirmed with Lookout an hour before we published our findings that they have taken measures to disable the social components found within the Black Hat USA 2016 conference app. This addresses the major privacy and social concerns brought to Black Hat by Lookout during the disclosure period. Users of the existing app do not need to do anything as the update is controlled by Black Hat and is pushed out automatically to the app.The technical details of the issues that were found before the fixes were implemented can be found in the rest of this blog.
"On the Internet, nobody knows you're a dog" - Peter Steiner
Ahead of this year’s Black Hat conference, Lookout checked out the event’s app and found a concerning flaw. The app, which would allow people to sign up, build a profile, and communicate with other attendees, was set up in such a way that anyone could sign up as anyone else, impersonating that person.
The Black Hat conference app enabled attackers to become anyone or spy on attendees
Specifically, we examined the official Black Hat USA 2016 conference app (3.0 for iOS and 220.127.116.11 for Android), by the event organizer, UBM, LLC. The app is branded as UBM and developed by DoubleDutch, and is available in both the Google Play Store and the Apple App Store.
Conference attendees can install the app on their mobile devices to browse the conference’s agenda and get exhibitor info. Prior to Black Hat’s fixes, however, attendees could also message attendees, schedule events to attend, and participate in a conference-wide Twitter-like activity feed.
What we found
While investigating both the iOS and Android versions of the Black Hat USA 2016 app, we discovered that a user could register using any e-mail address they want (as long as it hasn’t already been used to register with the app previously). This includes any email address, whether or not the person signing up owns the email address. It doesn’t even matter if the email address exists at all.
This means an attacker could register as anyone and with anyone’s email address. Security best practices around account registration would dictate that the app or service send an email to the email address supplied in order to verify the address. However, the Black Hat app did not require confirmation; the user would have been immediately logged into the app after typing in any email address.
Profile creation steps when you first login to the Black Hat conference app
This could have been a problem for all attendees given the ease of guessing or obtaining a person’s email address, especially those that have signed up with their corporate email address, is not that hard. This is true for two reasons, the first is that we continue to see corporate data breaches that contain the personal information and email addresses of employees. The second reason is that corporate email addresses are easily guessable as they follow a pattern for most employees.
Using this identity, the attacker can impersonate another attendee, post messages, and comment on other people’s posts in the app’s Activity Feed that all conference app users can see.
The app offered people the chance to link their app account with their LinkedIn profile. However, it also allowed them to manually create a profile which includes uploading any photo and inputting any name, job, or company into the app. All of these fields are also fully editable after being set, meaning anyone could pretend to be someone else. For example, this means a person could pretend to be from one company, but recommend another company's product, services, or conference event. Since the email address for the user is not exposed (which is good in terms of privacy) there would have been no way to know if you were talking to the real person or someone pretending to be that person. We recognize that this is a hard problem to solve as it would require strict policing of the product and/or only allowing a user to tie an account to a social media account like LinkedIn. This is likely why Black Hat stripped the app of its overall social functionality.
Additionally, we discovered that if a password reset was issued for an account, any existing devices still logged in under that account would have continued to retain access. This means that the real owner of an email address could have used the social, scheduling and other features of the app, but so could have the attacker -- without the real user knowing their account was being spied on.
What this means
An attacker with foresight could have registered (before the real user does) any name and email address for the attendee they wanted to track in the app. After doing this, an attacker could have gained permanent access to the account with that email address, even in cases where the real user resets the account’s password. This was possible because the authentication token did not appear to expire when the account’s password was reset. The attacker would have had permanent access to the account and could have spied on the user and post comments impersonating the victim.
- Threat 1 - Impersonation: New accounts are created without email verification
- Threat 2 - Impersonation: Account holders can enter any name they want for their profile and spam the global Activity Feed pretending to be someone else
- Threat 3 - Physical security risk: An attacker can spy on a targeted user and determine what their conference schedule will be
- Threat 4 - Spying and Impersonation: An attacker can spy on a targeted user or pretend to be them via messaging
- Threat 5 - Continued spying and Impersonation: Authentication tokens are not revoked when a password for an account is reset
Timing-attacks and long lived authentication tokens
This vulnerability is a timing-attack, in which the first to register an account wins.
However, what was troubling in the Black Hat 2016 app was that on top of the timing-attack we had a problem of long-lived authentication tokens. With this vulnerability an attacker gains permanent access to an account even when the account owner resets the password because the previously-issued authentication tokens remain valid. We examined other similar event apps by different companies and found that they usually invalidate authentication tokens on password resets.
We followed responsible disclosure with UBM and DoubleDutch to have them close these vulnerabilities prior to the Black Hat USA conference starting.