A while ago, I was at a friend’s house and he mentioned he had to join a work meeting. He used Google Meet to join. The WiFi was acting weird and he was not able to follow the discussion. Someone suggested that he could “call in” making a regular phone call. I overheard that and immediately found myself wondering if there was a way to join meetings I had not been invited to.
In today’s world and global market it is common to have teams spread all around the world. Corporations have offices everywhere, customers can be located in other countries, vendors operate overseas, and in general we have a need to communicate with people that are not in the same location as us.
Daily meetings are something many in the tech industry can relate to. And with teams, customers and vendors in different physical locations, it is common to use video calls. Many times, sensitive topics are discussed. Security, architectures, all hands, financial results, roadmap plannings, new features… These are only a few of the confidential topics discussed in video calls.
As part of a Red Team engagement I found myself looking for a way to bypass two-factor authentication (2FA) in Lastpass. Unfortunately this happened before Tavis Ormandy reported multiple 0-days in Lastpass. Would have saved us so much time! Anyway, 2FA is an additional layer of security to protect user accounts from attackers that have already compromised your password. I mention this because it is key to understand the purpose of this post.
When you login into a service using your username and password, you will get an additional challenge before access is granted. Usually it is a 6 digit temporary code that changes every 30 seconds. Google authenticator, Authy and Toopher are just a few of the 2FA solutions Lastpass supports that are based on RFC6238 and RFC4226. There are other types of 2FA but these are the most common.
Venmo is a very popular mobile app which simplifies payments among friends. Once you link your bank account or credit card, you can start sending money to others, instantly.
With Venmo, you are not limited to just make payments. It allows you to charge others as well. Say your friend had no cash for that tasty burrito and you paid for it. You have the option to be proactive and “charge” your friend using Venmo. Charging someone does not mean that the money will be withdraw from his account, it just means that he will get a notification and see the pending payment in his account. Your friend has to accept the charge in order for the payment to happen. And this functionality is what we are going to take advantage of.
As part of the time that my company offers for research, my good friend and talented hacker Alberto Illera () and me decided to “checkout” LastPass.
Many of you may already know (or even use) LastPass. It is a pretty well known password manager that stores all your passwords in a “vault” and keeps them secure. Additionally, it can automatically populate the credentials for you when you visit a website in which your are registered making it easy to use more secure, random and unique passwords. You will just have to remember the master password that decrypts the vault and that’s all.
LastPass comes in many forms. As a browser plugin, as a mobile app or even as Webapp.
As you may agree, a service that stores all your passwords sounds like a cool target so we decided to have “A look into LastPass”, understand how it works, check if it really keeps our passwords secure and why not? Try to find vulnerabilities.
day night that curiosity and free time lead me to open burp and start lurking around. This time I will talk about my findings in another of those apps that makes commuting easier which name I agreed not to disclose.
It did not take long to find an interesting JSON response containing (among other things): Read more
After looking at Lyft, it was turn to check out Flywheel. Flywheel is yet another app to help you find cabs just as Uber does. During my pentest I found several serious security problems.
Ride and get paid!
Yep, just like it sounds. Flywheel lets you set a default tip that will be added to the total cost so you don’t have to bother about tipping the driver. The app gives you several options (15%, 20%, 25%). When we set a tip, the request looks like this: Read more