It feels like the presence of the Google and Slack API keys should have been responsibly disclosed to the company before writing this article. Now that it hits the front page of HN there's a strong change someone's going to exploit that.
You should honestly take this post down. You've literally revealed how to gain access to their API keys, mentioned that it can be used to devestate the company and commit fraud, then just added a message in parentheses asking the reader not to do it.
This is a shitty article that isn't humorous at all. It would've been funny if you had reported it, they had fixed and you'd posted the article after. This reads like an engineer trying to get an ego boost and a pat on the back.
The keys are already public, he’s not documenting some super secret zero-day way of extracting keys. He… downloaded the app and unzipped it, basically.
Be angry at the company who clearly don’t have a clue how to secure anything.
You can be angry at both the company and the person who publicly revealed the issue without first trying to inform the company. That's literally white-hat-hacking 101.
They keys may already be public (technically), but he is the one publicizing it and posting it on Hacker News. OP is also clearly aware of how much harm can be done using these keys, since he asks people to not use them.
If anyone really wanted to they could probably figure out who you are based off your comment history, all of which is “public information.” So it’s cool if they use your name and list your address right?
Or let’s just remove you from the equation: do you agree doxxing is wrong regardless if the info is publicly available?
It's not just bad taste. Some of the described actions would legally be considered fraud (both in the U.S., and in France where the author and app are based).
Fraudulently recording steps, and the other example of you gave making calls to the API.
Legally, those API calls signify something in the real world. You are representing that the action/status signified by the API call happened in the real world. _It's one thing to accidentally or mistakenly call those APIs, but to do so deliberately if such action/status is not true is fraud.
By itself, that the API calls are fraudulent wouldn't matter. But in your case, the purpose of the fraud is financial gain: each API call earns you money. In the U.S., this would be (felony) theft by fraud, among other crimes. French laws are more complicated, and as I'm not French nor do I speak French I won't attempt to go into any detail as to what the specific crimes would be, other than to say it appears that your actions, if performed, would appear to constitute several different crimes.
[Note that in the U.S., intent matters, so fake API calls for purposes of QA testing, security testing, etc., isn't fraud...but could be a crime if performed without the website owner's permission.]
I mean in the US, you have the CFAA and in France a quick Google search indicates the illegalities of doing something like this. I wouldn't be surprised to see the company go after you and to be questioned by law enforcement. Don't say no one warned you.
Reading this made me confused. You have a 'hire me' link on a page where you talk about exploiting someone's app? If you're not writing this up like a white hat, isn't the article counterproductive to you?
I can understand why you did all this (and hopefully, you reached out to the app provider to let them know about these holes), and it seems like you know enough about what you're doing. I'm just scratching my head at the end of all of this, and the article itself feels like it lacks structure.
The idea is to show my work. I tried to add a touch of humor, I think it's funny to try to earn money like this (actually you can't because they verify all transaction). If you think I can be seen as a black hat, I might modify some of it.
Also, a lot of developer (and some of my colleague too) tends to think that "hacking" doesn't exist like in movies or even doesn't exist at all (because they use ORM, don't laugh, I really got this one). By taking a real world example, I think It's a cool way to get people back in reality.
Anyway, people and my customers, hire me for my skills, and for what I did. Nobody care that you hacked an office, but if this office is the CIA, then it's cool.
For the lack of structure, it probably is, if you can give me example that I could fix, It would be very kind of you.
I would like to highlight the parent post's comment about attempting to contact the people whose work you are exposing vulnerabilities in.
I have to say that if this is "showing your work" then the most important thing you've shown is poor judgement in publishing their secrets in a submission to a very popular website. The fact that they have followed such shockingly bad security practices themselves is absolutely no excuse.
The work I wish we saw was the valiant effort you made to contact the company and help them see their mistakes. That is an area where we can all use more good examples, even if only to show how difficult it is to get something so obviously problematic taken seriously.
I'm certain you mean no ill will, but the lack of consideration here is concerning.
[EDIT] As per the posters comments, the keys included weren't the real ones. I still think the point stands: they are trivial to obtain when you know they are included in the package so their exclusion only means so much.
There is no vulnerability here.
Secrets has been anonymised, tokens and secrets provided are not the real ones.
I'll follow your advice and update the article once I have an answer from the company.
> ... and update the article once I have an answer from the company
I look forward to the update and will be very curious to see how that goes. Best of luck!
[EDIT] Also I think it worth adding one more thing. I think the poster has demonstrated an openness to feedback that is wonderful. Coming back to the keyboard to read "let me give that a try; I'll update things" is really cool.
This is an 0day public disclosure. The company affected should THANK this person for not selling the exploit on the dark web and making bank.
And this goes back to the whole "responsible vulnerability disclosure". The damned white hats want to demonize anybody not reaching out to some opaque company and being told it might be fixed in 90-360 days.
0Days are JUST AS responsible as other types of disclosure. You owe them nothing, and they owe you nothing. And you're publishing info to everyone. Information symmetry.
I can't disagree more. They should thank him if he actually reached out to help, even if only to say "look how bad this is; you're easy pwnbait, kthxbye". Based on this article we don't even know if they are opaque (or worse, belligerent).
I've tried to be as careful as possible in my wording to avoid demonizing the poster. I still see absolutely nothing indicating maliciousness or ill intent and I would just as strongly disagree with anyone trying to do that. My apologies if I have come across as being hateful in any way.
I prefer to champion a web that goes back to a "hacker" culture I learned from in my youth that predates Internet culture: we believe DO owe each other something, somewhere in the positive gradient: basic decency, an assumption that we're all worthy of respect (unless proven otherwise), and that you never try to "score points" at the expense of someone else.
But that is just what I believe and what my preferences are. Certainly "do no harm" is the rock bottom line.
You don’t owe companies that don’t invest in security anything. This whole comment smells of upmost naïvete.
It’s a for-profit company without a bug bounty program, in no way whatsoever should they expect someone to work for free to fix issues they created.
The keys are public, they made them public. Do you expect that there are not automated systems trawling apps from the g-play store and doing what he’s doing?
If this be naïvete, then I'll happily wear that label, and wear it proudly. I've been around enough to have a good sense of the value you create when you make an effort to consider other people's interests, and that seemed absent in the original post. I disagree that this is naïve, however. I've worked with far too many talented people who think the same way to chalk this thinking up to inexperience or simplicity.
That they are a for-profit company is completely irrelevant, as is whether or not they have a bug bounty program. Legal abstractions aside, it's still just people on both sides.
The expectation isn't that the poster work for free. The poster could have easily obscured identifying details and the content of his article would not be diminished. It is my opinion that if he wanted to "show his work", work done of his own initiative, then I think it would be more interesting and useful to include something about attempting to assist in remediation. I think, as mentioned by others, it would make a far stronger argument to click that "hire me!" button than anything in his technical analysis.
Of course automated systems are on the hunt for this stuff. Same with public code repositories, Docker images, and if you operate a subscription-based service with any popularity then your web interfaces for sign-up, login, etc will be subject to well-orchestrated brute force attacks. That someone did a poor job is all the more reason to avoid potentially contributing to their exploitation.
A response within the positive spectrum is absolutely above and beyond. Of all the feedback this community can provide, I think this is the most useful and I'm grateful that the poster has been responsive to it.
So if you leave your door to your home unlocked and I go ahead and list your address/tell everyone online that the door is ready to be opened, do you blame me or yourself when a dozen people break in that night? Because the way I see it, you’d probably just have come home and realized your mistake with no real consequences if I hadn’t come along.
I'm sitting there at -3 for what amounts to be an "unpopular opinion" (aside: downvotes/silencing/dead'ing is common here for unpopular but realistic comments in IT, or how dare you offend the techbros, who are invariably writing shitty apps with garbage APIs.)
I've made money from selling exploits to companies. Ive also been cheated out and had bugs downrated so they could pay less. Ive also seen colleagues who reported bugs they inadvertently found get hit with a felony (found not guilty).
Frankly, this company should thank its lucky stars that the disclosure was an 0Day and not "sell this on dark web and have it exploited for 3mo from 1500 accounts and drain the company's coffers".
This person owes the company *nothing*. They found an exploit due to bad API implementation, and wrote about it publicly. If they were in the USA, that's completely in 1fa territory.
If I leave my door unlocked by accident, and someone leave a note to tell me so, I'm shocked, but happy that I can lock my door and fix the problem.
If I accidentally leave my door unlocked, and someone comes in and steals my TV, I'd be upset. I made an honest mistake, and had to pay for it when I wasn't expecting to.
If ..., and someone makes a blog post to tell the world that my door is unlocked, my dwelling may be in a permanent state of disrepair by the time I notice. I'd be incredibly unhappy.
You're going to get a lot of hate here from the tech bros.
This, however, is much more inline with Defcon, CCC, and hacking culture. And this sort of writeup about (React, API endpoint insecurity, cheating apps) would be a straight-up accepted submission to the respective cons.
First off, you've done useful and valid work. Not that you should need me to say it, but I'll throw some kudos.
Explaining that it's not possible to actually 'cash out' would be great, and that would probably help deter script kiddies from trying to defraud the app. There are real people on the other side!
Tokens should be marked as redacted imo, and code sections could probably do to be snipped.
If you wanted a tl;dr, I guess it would be that it looks like ctrl-c and ctrl-v were your primary editing tools. They're great, and I use them all the time, but that w(t) thing took me 10 seconds of scrolling to get through when skimming, which was 10 seconds with none of your own words on screen. Less can often be more! Especially if I'm looking at disassembled gibberish.
I understood my mistake. I think the article humor has not been received as intended, that's why I added a disclaimer in the top level of the article to contextualize it a little bit more. Hope I've not done any harm to their infrastructure.
I'll definitely take care to this in my next articles.
I also trimmed a bit the long code of the w() function, making the article easier to read.
They rewrite the hrefs in the document so that you can easily click around inside the snapshot. The links just aren't necessarily archived as well, but sometimes they are.
What the parent commenters are saying is that URLs in the page which are _not links_ have also been rewritten, e.g. the ones in the source code snippets which are plain text. They are not clickable so it makes little sense to the user that they are rewritten.
I imagine they probably have a pretty liberal regex working on the source code so that it can also rewrite URLs in JavaScript/CSS/etc.
Aside from now doing the Google API work client side, how to build an app like this, securely? If the server does work based on client data, I can still do more "normal" work by modifying the client.
That is, what is a non-hackable way to measure the physical environment of a consumer smartphone?
Can the critical data be stored in a DRM module protected by OEM TPM module?
> to measure the physical environment of a consumer smartphone?
At this point you need to be more precise about what you exactly intend to measure. Even if you build something perfectly unbreakable, nothing prevents an attacker from simulating the environment around it, whether movement (by building a robot to shake the device), visual (monitor in front of camera sensor), radio (GPS constellation simulators, etc).
I've seen physical security companies enforce patrols by having their guards tap their phone on a physical device in the secured property (which does a challenge-response) to prove that they've indeed been there at a given time, but even that can be defeated by attaching a device with a microcontroller and some out-of-band channel (cellular, etc) to relay the signals over the internet and allow them to "check-in" at every location without physically being there. The system works because in most cases the cost & skill required for such an attack isn't worth it (if you have those skills you typically already have access to better-paying jobs).
Health tracker apps typically don't have this problem because the incentives are aligned - the user has no incentive to lie to their health tracking app so no security is needed. It's a problem for this particular app because the true purpose of the app isn't to encourage healthy living, it's "growth and engagement" where advertisers can pay to get people to go to certain places and most likely buy their location data as well - in this case the relationship is adversarial and there's no bulletproof solution, it will always be a game of cat & mouse. The proper solution is to just find a better business model where incentives are aligned.
Niantic tried to implement anti-cheat measures around Pokemon Go. They hashed a lot of data available to the client and the phone. With some math/ML it's easy to do outlier detection and find the hacked/spoofed clients based on their GPS/gyroscope/accelerator/... data. It took ~4 days for the community (some bot devs, mostly map / tool developers) to figure it out, although the scene has never been the same since.
A solution would be for the OS developers (Apple/Google) to provide a way to retrieve data from the backend. This would not fully prevent it to be hacked but would change the difficulty:
- wanna be GPS spoofers would need to emulate the whole OS/sensors to send spoofed data to Apple/Google
- the platform/OS developers would have more ressources and incentives to detect spoofed data
The cat&mouse game is harder when played against Apple/Google than against a single small developer.
"Web surfing for money" was pretty lame. But inspiring people to get off their ass and walk around with rewards seems nice whether it's financial rewards or to catch pokemon.
A simple UI on my phone that tells me how many steps I have and a progress bar was enough to make me religious about getting my 10k steps each day, and it's been nothing but a good thing in my life. I even got my girlfriend addicted.
We'll take a walk to the grocery store together to buy a pineapple, just for the steps.
Well, there's nothing that's truly after your well-being except you and your loved ones. Not even my local gym nor Youtube workout videos nor my $1 pedometer phone app is after my well-being.
Our incentives simply align. I want to exercise more, they want to sell me something that I want to use.
Everyone is free to do push-ups and run at their own leisure without giving money to anyone else. Unfortunately most of us have trouble with that. It seems too much to call something a "con" if it can compel someone to improve their health just because it's transactional.
If someone can figure out how to make money from compelling people to exercise, I think it's a net positive. At least it's certainly better than all the money being made by compelling people to indulge in habits that are bad for them, which seems like just about everything.
I can make most pedometers think I am walking by folding my arms so they cross my chest and then moving my lower arms in circles along the horizontal axis perpendicular to my body. I am not sure if getting 10,000 steps this way is easier or harder than walking but then again in the summer I like to get up at sunrise and got walk six miles, then walk another six miles before sunset.
Im Germany there is the term "instruction to the offence" - that is a crime itself. Just saying...but I'm not a lawyer, dunno how that's handled globally.
- [2022-02-28T14:27:04.385Z] error KnexTimeoutError: Knex: Timeout acquiring a connection. The pool is probably full. Are you missing a .transacting(trx) call?
