Your Free MacWorld Expo Platinum Pass (valued at $1,695)
Happy new year everybody! Here's a little secret for web developers: client-side verification of user data is sometimes ok, but back it up with a server verification AND don't give important/secret stuff to the client.
I wanted to head over to MacWorld this week and obtained a "PC" code for a free Expo pass. That's cool and all but it doesn't get me access to see Jobs' keynote unless I sneak in. Plus if I got a regular badge I wouldn't have priority seating, something you really need since everyone and their goat flocks to hear Jobs say "One more thing..." But, alas, I'd only receive an Expo pass.
I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:
Well huh. These look like MD5 hashes. Lets look a little deeper in the code. On line 2515 there's a javascript function named "check_password" which is called any time the Priority Code field changes. Let's see what it does:
- Convert the cleartext to upper-case and strip invalid characters
- Calculate the MD5 of the new cleartext
- Check the list of valid_codes for the MD5(cleartext)
- Pop an alert box if the code isn't found
A quick conversion of the javascript to "code#:md5hash" and a quick addition to John The Ripper's rules:
[List.External:AlNum_Upper]
void filter()
{
int i, c;
i = 0; // Convert to uppercase
while (c = word[i]) {
if ((c < 'a' || c > 'z') && (c < '0' || c > '9')) {
word = 0; return;
} else {
if (c >= 'a' && c <= 'z') word[i] &= 0xDF; } i++; } } We begin the crack:
$ john --format=raw-MD5 --incremental=alnum --external=alnum_upper macworld.codesLess than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get:
Loaded 897 password hashes with no different salts (Raw MD5 [raw-md5])
CREDIT (1183)
guesses: 1 time: 0:00:00:09 c/s: 20372K trying: ADRY
A Platinum Pass for $0.00? Special line access to the Keynote! Alright!
So it looks like a combination of client-side authentication with all data being delievered to the end user. OWASP has a very good description of this vulnerability here. Utlimately you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret. Of course you also shouldn't use a very easy key that will provide discounted access (CREDIT ? Hmmmpf!)
But did it work? You need a government ID or credit card to receive your badge at the conference. Not a very hard thing to forge but no need to as I used my real initials. The badging people gave me an odd look at the pick-up window but everything matched and voila:
This was discovered and verified on Monday, 1/8/07 by picking up the above badge. On Tuesday I e-mailed IDG to report it and met with the web support team at MacWorld to say hi, hows it going, yeah this didn't take long to figure out, you gave me everything I needed to know in the code, etc. They're very nice people and were happy to discuss this issue and about web security in general. They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it.
Given what's mentioned in this article from CSO Online I can understand why that is. This experience helped me feel that it's not always a strong-arm, FBI jackbooted thug response for finding a web application vulnerability. Then again I only learned how to defraud a company of $1,695 (per instance) and didn't try to access a database containing credit cards, social security numbers, etc.
I made a video of the hack but it was after I talked to IDG so the final page doesn't show $0.00 anymore. Oh well, it'll give you the general idea of the vulnerability and how long it could take to figure out. As soon as it's finished I'll post it.
Posts
13 comments:
Well done!
I guess you can say "All your passes are belong to us"
Good find!
A minor issue, it's not macworld, but their registration company who should of course, since this is what they do for a living, know better. Wonder if they will make up the difference?
Kudos to you. Nice work. Honesty pays.
Kurt ur such a ham...
Lucky you... If I were the manager of MacWorld I would have had you and anyone else that ``Stole`` free passes in court. It's stealing. Just because you can break into someone's house, should you? Should you break in, steal a few things and come back later and say "The lock on your door was a cheap piece of crap, so I just broke in and took a few things".
Nice posts... keep up the good work.
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
tramadol
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
online
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
viagra
steal a few things and come back later and say "The lock on your door was a cheap piece of crap, so I just broke in and took a few things".
和藹可親
Fashion Jewelry|
Fashion life |
Fashion life |
Slimming diet |
Fashion Daren |
Fashion Daren |
Slimming diet |
Hair design |
Hollywood star photos |
Hair design |
Latest news|
Latest news|
Fashion apparel|
wedding dress|
Latest news|
Hollywood star|
Hollywood star|
Hollywood star|
Fashion apparel|
World famous brand watches|
On-line games|
On-line games|
Chinese oil painting|
Entertainment News|
World famous brand watches|
Fashion life|
yoyo|
World watches|
Fashion life|
Fashion life|
Hollywood fashion|
Hollywood star|
Online games|
yoyo|
World famous brand watches|
Hollywood fashion|
By the financial crisis|
On-line games|
European and American songs|
Hello, your New Year off right?
聯合新聞網|南山人壽保險|哈啦聊天室|非主流音樂|qq非主流圖片|韓國小遊戲區|黃大城|Valentine's Day |The United States Valentine's Day |The United States Valentine's Day |American Film |American Film |American Film |American Furniture |American Furniture|American NBA|World cars|World cars|World cars|World cars |American cars|European and American Wedding|European and American Wedding|European Wedding |European Wedding|American Wedding |Fashion phones |Fashion phones |World of packet |Popular hairstyle |Wedding photography|World Soccer Cup|Hollywood stars|Fashion Daren|The latest film |Slimming diet|·|·|·|·|·|·|·|·|·|·|·|·|·|·|
American Wedding |USA Villa |USA Villa |USA Villa |The United States star|The United States star|American actor |American actor |USA Gymnastics |USA Gymnastics |U.S. economy |Tatsu fashion life |U.S. economy |U.S. economy|American Star |American Star |American Tourist |American Tourist |American Film |American Film |The United States soccer team |World Cup |Miss World |Miss World |Popular hairstyle|Popular hairstyle|Fashion home |Tatsu fashion life |World Cup|Wedding Fashion|Hollywood stars |Weight loss of thin |World Miss Universe |Latest movies |Weight loss of thin |
Post a Comment