[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8nrQu0DLjx7hnnYx2JyUDDzBgti78SdKmVcH5cKn-mDEg@mail.gmail.com>
Date: Tue, 13 Nov 2012 22:06:48 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
BugTraq <bugtraq@...urityfocus.com>
Cc: readdle.com@...tecteddomainservices.com, support@...ddle.com,
security@...ddle.com, secure@...ddle.com
Subject: Readdle: User traking (device UUID) over
plaintext HTTP in query parameter
This little gem showed up in a recent code review. Signature ([self
signature]) is a CRC32 with no cryptographic value.
-1 for tracking with a device's UUID
-1 for doing it over an insecure channel
-1 for doing it with a query parameter
// From ReaddleProtector.mm
- (void)validateCopy {
NSString *urlString = [NSString
stringWithFormat:@"http://api.readdle.com/rpp/?u=%@&s=%@",
[[UIDevice currentDevice] uniqueIdentifier], [self signature]];
NSURL *url = [[NSURL alloc] initWithString:urlString];
NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url];
UIDevice *d = [UIDevice currentDevice];
NSBundle *b = [NSBundle mainBundle];
NSString *userAgent = [NSString stringWithFormat: @"rp2|%@|%@|%@|%@",
[b objectForInfoDictionaryKey:@"CFBundleIdentifier"],
[b objectForInfoDictionaryKey:@"CFBundleVersion"],
[d systemName], [d systemVersion]];
[req setValue:userAgent forHTTPHeaderField:@"User-Agent"];
response = [NSMutableData new];
[[[NSURLConnection alloc] initWithRequest:req delegate:self
startImmediately:YES] autorelease];
[url release];
[req release];
}
Surprisingly, it looks they have a well configured server, except for
the 1024 bit key.
$ echo "GET / HTTP 1.0" | openssl s_client -connect readdle.com:443
CONNECTED(00000003)
depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See
www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated -
RapidSSL(R)/CN=*.readdle.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See
www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated -
RapidSSL(R)/CN=*.readdle.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See
www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated -
RapidSSL(R)/CN=*.readdle.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See
www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated -
RapidSSL(R)/CN=*.readdle.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIDFU79MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTI0MjI1MjU2WhcNMTMwMjI1MTUzODI2
WjCB4TEpMCcGA1UEBRMgWEgtNDQxREN6Smx1VC1sUmpHTGFaY24vNUNLcVRHNlIx
CzAJBgNVBAYTAlVBMRYwFAYDVQQKDA0qLnJlYWRkbGUuY29tMRMwEQYDVQQLEwpH
VDE0MDgyMjI1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJj
ZXMvY3BzIChjKTEwMS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQg
LSBSYXBpZFNTTChSKTEWMBQGA1UEAwwNKi5yZWFkZGxlLmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAuVf/LwcGdBLjx9c4A3mM6pLu+BbdT0f8PDH9MxLN
xZxcTPfAlna0De6oEFiwmo3XmF8HK5TygM1fRAePOynjk2W91xDUl1tJudcsY62I
QkoD4lfGgTuypeI68dliU14D+noiZqtTVfgeyiVhoyKmcFCR6Bey+YLUDSk0lDm+
sqUCAwEAAaOB1TCB0jAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAO
BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCUG
A1UdEQQeMByCDSoucmVhZGRsZS5jb22CC3JlYWRkbGUuY29tMDoGA1UdHwQzMDEw
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js
MB0GA1UdDgQWBBRsaJpxsTMoCtgxe1yhfs17Czo+dzANBgkqhkiG9w0BAQUFAAOB
gQBxwvrCpe5gEbLMC1VEaXe6Ppz1Vl2KjFovK7xLsROn9I54Ch6QDBZB0QvrqwNI
FRDpjxwlfYb45Q0p9HgKPYcsSVyj9akuIsgC40yggc8Xqo02XhYRQ7PycIIy3Wfl
7Z1Al1Tkb9xuXA7lse2bITMVw7A8D+XnmFLwvel6OZzVjw==
-----END CERTIFICATE-----
subject=/serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See
www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated -
RapidSSL(R)/CN=*.readdle.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1067 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 30EF8AFC9D38C2D809871A86CE86B0B51F04AABC0CBF337CC3C9E68D2365D1E6
Session-ID-ctx:
Master-Key:
2596AD9369A5B73FC4DDA845E41EF67C4333C5861C99507BA1E32784EC2B48E980A1625BC8B5D70841AAB3787A81D8E9
Key-Arg : None
Start Time: 1352861697
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists