Archive for June, 2012

Path Traverser – a new Path Traversal tool

Posted in Application, Programming, Valnurability with tags , , , on June 17, 2012 by keizer

New development by me 🙂

Path Traverser is a tool for security testing of web applications. It operates as a middleman between your web application to its host server, giving you the abillity to test the actual files as found in your host server against the application, according to their relevant path.

How does it work?

After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out (ls -R) the list of files.

Then, it will manipulate the list taken from the file system so it will fit the web application by changing their path. How? Lets say that your application could be found at: http://mysrvr:777/home and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion. Each file in the files system will receive its relevant path, so the files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under /myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc.

After that, the Path Traverser will start sending these requests one by one. You will be able to follow via the progress bar or the log file. If something goes worng, go to the Log Tab and try to figure up what when wrong, or contact me at: pt@appsec.it – I will gladly help!
Now its time to view the results, that could be found in the Results Tab. Each request that received one of the selected response codes from the server, will be displayed next to the code in the Results Tab. e.g.: [200]   http://http://mysrvr:777/home/../1.1/actions.log. They could also be found under in the file holding the relevant response code.

Where? appsec.it/pt – for more information!

for help: appsec.it/pt/help.html


Here are some screenshots:





Of course, all features and assistant could be found in the Path Traverser website:

http://appsec.it/pt

LinkedOut! LinkedIn is violating your privacy

Posted in Application, Network Security on June 7, 2012 by keizer

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app.

What is the problem exactly?
LinkedIn’s app collects full meeting details from one’s iOS calendar, which contains sensitive information such as meeting notes. While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines (section 17.1: “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used”). The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app’s functionality, as described later on.

What information is being collected and sent to LinkedIn’s servers?
Every time you launch LinkedIn’s app for iPhone, it automatically sends out all of your calendar entries for a five-days time frame. The meetings information is being collected from all the calendars on the iOS machine, thus possibly exposing information from both personal and corporate calendar accounts.
Calendar meeting that are being sent out contain: meeting title, organizer and attendees, location, time and meeting notes. It should be noted that the names and email addresses of the meeting organizer and attendees are collected even for those who do not have a LinkedIn account.

As an example, creating a financial results meeting in your private calendar leads to data leakage to LinkedIn during your normal usage of the LinkedIn app. Below you can find the actual leaked data, which was acquired by analyzing the traffic the app generates.

Calendar details traffic leakage

Is the collected information needed for LinkedIn’s functionality?
Not that we are aware of. In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn need is unique identifiers of the people you are going to meet with, not all the details of your planned meetings; details such as meeting schedule, location, title or notes, which tend to be sensitive in particular for organizations, are irrelevant for this task.

What should LinkedIn do?
In order to achieve its desired functionality, the LinkedIn app should refrain from sending full meeting details to their servers. Instead, the app should communicate to LinkedIn’s servers only a small relevant subset such as the attendees of the meeting. In a matter of fact, the users’ privacy can be further improved by sending-over hashed versions of the contacts data instead of the raw contacts data, thus preserving a better privacy model.
In addition, we believe the app should clearly communicate to its users the kind of information it sends back to LinkedIn’s servers.
We have communicated the aforementioned to LinkedIn, and understand it is being examined by their Risk and Privacy Operations team. However, at the time of writing this post, the issue is still not fixed.

What should Apple do?
On a more strategic level, there may be additional mobile applications that extract sensitive calendar details and then transmit them out of the device. At the moment, such applications may be able to do so without a clear indication to the user, thus possibly violating Apple’s privacy guidelines. Therefore, we believe Apple could improve their screening process by leveraging static analysis technologies to detect such violations and better enforce its privacy policy on submitted applications.

Have LinkedIn used the acquired information in a bad way? Did LinkedIn have bad intentions?
To the best of our knowledge and based on LinkedIn’s good reputation and leadership in the market, we do not believe it utilized the collected information in a malicious way. However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent.

How can I verify I’m not affected by this privacy leak?


The following instructions cover the actions that need to be done to verify your calendar(s) information is not being transmitted to LinkedIn’s servers. These instructions apply for the most updated iPhone LinkedIn version. Similar actions can be applied for the iPad version of the app.
1. Click on the LinkedIn icon in the upper left part of the screen
2. Click on the “You” view
3. Click on the settings icon in the upper right part of the screen
4. Click on the “Add Calendar” option in the Settings page
5. Toggle off the “Add Your Calendar” option.

Discovered by:
Adi Sharabani and Yair Amit, Skycure