[Security Advisory] todoist Unauthorized Third Party Access Vulnerability

On September 20th 2016 I reported the following vulnerability to the todoist Team.

A design flaw exists in the way the registration / invitation process is handled.

Description
*************

– A todoist user invites another person via email.

– The recipient of this invitation can join the todoist project by using the provided link with a URL parameter containing the invitation key in the invitation email. The recipient can login in with an existing account or create a new one.

Impact:
*********

The invitation key is not bound to the recipients email on the server side application. Thus, anyone who gets access to the Email or invitation key can join the project regardless of the provided Email address when following the invitation link. The risk of exposing the Email surely depends on the users behavior but in the days of free public and unencrypted WiFi everywhere I would rate this vulnerability as medium to high as unauthorized third parties would be able to access regular users content. If such a breach happens and becomes public the damage caused to your business and to the trust of your customers would be high.

Recommendation:
*********************

It is recommended to create a relationship between the invitation key and the recipients email address within the logic of the server side application. If a user tries to create an account with another email address that differs from the original recipients email address the invitation key should be invalidated.

Timeline
*********************

20.09.2016 Repoted vuln to todoist Team

22.09.2016 1st Response from todoist requesting more details

22.09.2016 Detailed information about vuln sent to todoist with notification of responsible disclosure after 90 days or later

22.09.2016 Answer by todoist stating that the issue will be reported to dev team

today: No confirmation or further corespondence received

[Security Advisory] Samsung leaves it’s Android Smartphones with WAP-Push Feature Open to Attacks (one sms to rule them all)

Samsung is currently the biggest smartphone vendor in the world. Their Android based smartphones also have the hugest market share among all vendors.

They recently updated multiple devices to Android 4.0.x and more are on the waitlist. Android Smartphones with ICS from Samsung support WAP Push messages to enable the user to receive Logos, Ringtones etc.

The default setting for WAP Push messages is set to always accept which leaves these Smartphones open to attacks.

There are two kind of WAP Push Messages:

Attack 1.) Service Indication Message (SI) will present a message on the device with an embedded URL. The user can open the message and follow the URL by one click.

The senders number is not displayed by the device. The user is unable to verify who sent this message and if the contained link can be trusted. This leaves room for either social engineering, phishing or, if an exploit exists a compromise of the whole device. Obviously this kind of sms also allows malicious people to sent anonymous messages to their victims.

Attack 2.) Service Load Message (SL) will allow a provider to push software updates to the device or let logos or ringtones be pushed to the device.

A service load message can be configured in the way it should be received by the target device. Among others one option is to force the target device to load the defined content from a URL without interacting with the user. Again the senders number is not displayed by the device. If such a forced message is received by the device it will open the default browser and either display the URL defined in the message or download the targeted payload from the URL. This can be any filetype, even an APK. In case of an APK the user gets asked to if he will install the file. If sideloading is activated in the device settings the provided file will be installed.
If the browser contains a vulnerability this kind of message can be used to fully compromise the device.

Risk Mitigation: Open the SMS App and Press Menu -> Settings. Go to “Push message settings” and either disable the service, or if you need it set “Service loading” to “Prompt” or “Never”. To test if your devices is vulnerable you can use HushSMS for Android to send WAP Push SI and WAP Push SL messages.


Screenshot of a received WAP Push SI message.

[Security Advisory] Multiple Smartphones MMS Notification Sender Obfuscation

Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009


Description:

A MMS Notification is part of the MMS communication flow. Usually an originator sends and
mms via a service provider (SP). After uploading the message to the SP, the recipient gets a
MMS notification from the SP with information like originator, subject and URL of the content.
In some mobile carrier networks it is allowed to send MMS notifications directly from one mobile
unit to another.

Some Smartphones fail to properly display the originator of this kind of message which leads
to a sender obfuscation.

Continue reading

[Security Advisory] Multiple Smartphones SMS Sender Obfuscation via WAP Push SI

Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009


Description:

WAP Push SI (Service Indication) is a special service SMS which allows operators
or everyone else to provide an easy way for alerting the smartphone user about new
services or online resources. (see specification WAP-167 for further details)
Some Smartphones fail to properly display the originator of this kind of message
which leads to a sender obfuscation.

Continue reading

[Security Advisory] Circumvent Device Lock in Blackberry Connect for Windows Mobile

Description:

BBC features a security module that, if configured and activated,
locks the device after a specific amount of time.
In a corporate environment this is usually set up by a security
policy which is pushed to the device via Blackberry Enterprise Server (BES).
If the device is locked the user has to enter a password to unlock the device again.
There are two ways a user can compromise the security implied with the BBC security service.

Continue reading

[Security Advisory] Windows Mobile Security Advisory: Manufacturers leave device open for WAP-Push based attacks

Description:

WAP Push SI (Service Indication) and SL (Service Load) are so called “Service SMS”.
These messages are used by operators to notify about software updates or to deploy
them directly. Microsoft implemented a security policy to ensure that these messages
are accepted only from trusted orginators. This policy is defined in the device registry.
If improper settings are applied to this policy attackers can send malicious content
to the device which then displays or executes the content immediately.
This leaves the device open for further attack scenarios.

Continue reading