[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <51F32225.3080202@mercenary-security.com>
Date: Sat, 27 Jul 2013 03:28:05 +0200
From: Sebastian Rother <srother@...cenary-security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Phishing Google Wallet and Paypal by abusing
WhatsApp
On 07/24/2013 04:52 PM, Curesec Research Team wrote:
> Hi List,
>
> please find the vulnerability description within this post.
>
> Cheers,
> Curesec Research Team
>
> Reference:
> https://cureblog.de/2013/07/phishing-google-wallet-and-paypal-by-abusing-whatsapp/
>
>
> Phishing Google Wallet and Paypal by abusing WhatsApp
>
> -=Introduction=-
>
> WhatsApp is one of the most common used tools aka ‘Apps’ on
> Smarphone-Devices with access to wireless networks or a so called
> Data-’Flatrate’. By using the internet link to communicate, people do
> not have to pay any extra fees for sending a text-message somewhere,
> even if the receiver is in another country.
>
> WhatsApp is available for almost every architecture on the market. The
> program exists for Nokia, Blackberry, Android and iOS. It is available
> here: https://www.whatsapp.com. This post will focus on the version for
> android.
>
> The app is free for one-year in Android devices. After that time the
> user has to buy a yearly license. The application provides 3 methods of
> payment:
>
> google wallet
> paypal
> payment link.
>
> They can be selected via Menu->Settings->Account->Payment Info.
>
> -=Bug=-
>
> Google-wallet and Paypal payments work in the same way. When selecting
> it, WhatsApp opens an in-app browser and contacts its main server
> www.whatsapp.com with the request:
>
> /payments/google.php?phone=XXXXXXXXXXXX&cksum=<request
> checksum>&sku=1&lg=en&lc=US
>
> or
>
> /payments/paypal.php?phone=XXXXXXXXXXXX&cksum=<request
> checksum>&sku=1&lg=en&lc=US
>
> Responding to this request the browser gets redirected to the proper
> checkout service.
> The payment link option seems to be currently not working, i.e., nothing
> happens.
>
> -=Attacks=-
>
> Even tough the communication with the payment systems is HTTPS secured,
> the initial contact with the main server www.whatsapp.com is NOT, as we
> can see in Wireshark logs:
>
> GET
> /payments/google.php?phone=xxxxxxxxxxxxx&cksum=<checksum>&sku=1&lg=en&lc=US
> HTTP/1.1
> Host: www.whatsapp.com
> Accept-Encoding: gzip
> Accept-Language: en-US
> User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7)
> Cookie: __utmmobile=0xxxxxxxxxxxxxxxxxxxx
> Accept:application/xml,application/xhtml+xml,text/html;
> q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
>
> After Whatsapp sent this unencrypted request, it will receive the
> following answer.
>
> HTTP/1.1 200 OK
> X-Powered-By: PHP/5.4.7
> Content-type: text/html
> Transfer-Encoding: chunked
> Date: Mon, 10 May 2013 05:34:36 GMT
> Server: lighttpd/1.4.31
> 5e4
>
> <html>
> <head>
> <meta name="HandheldFriendly" content="true"/>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
> <title>WhatsApp Messenger payment</title>
> </head>
> <body onLoad="document.getElementById('google').submit()">
> <p>Please wait...</p>
> <form id="google" method="POST" action="https://checkout.google.com
> api/checkout/v2/checkoutForm/Merchant/xxxxxxxxxxxxxx"
> accept-charset="utf-8">
> <input type="hidden" name="shopping-cart.items.item-1.item-name"
> value="One year of WhatsApp service for phone XXXXXXXXXXXXXXX"/>
> <input type="hidden" name="shopping-cart.items.item-1.item-description"
> value="WhatsApp Messenger"/>
> <input type="hidden" name="shopping-cart.items.item-1.merchant-item-id"
> value="1"/>
> <input type="hidden"
> name="shopping-cart.items.item-1.merchant-private-item-data"
> value="XXXXXXXXXXXXXXX"/>
> <input type="hidden" name="shopping-cart.items.item-1.unit-price"
> value="0.99"/>
> <input type="hidden"
> name="shopping-cart.items.item-1.unit-price.currency" value="USD"/>
> <input type="hidden" name="shopping-cart.items.item-1.quantity" value="1"/>
> <input type="hidden"
> name="shopping-cart.items.item-1.digital-content.display-disposition"
> value="OPTIMISTIC"/>
> <input type="hidden"
> name="shopping-cart.items.item-1.digital-content.email-delivery"
> value="true"/>
> <input type="hidden"
> name="checkout-flow-support.merchant-checkout-flow-support.continue-shopping-url"
> value="http://www.whatsapp.com/payments/success.php"/>
> <input type="hidden" name="_charset_" />
> </form>
> </body>
> </html>
> 0
>
> This means an attacker could intercept the first request via a suitable
> man-in-the-middle attack and successfully redirect the user to any
> Webpage when the user is trying to buy Whatsapp credit. To gain
> useraccounts the attacker could setup a fake Google-Wallet or Paypal
> Systems page to harvest user accounts. It might even be possible to
> gather directly money through this, for instance let the user pay the
> 0,99 cents via Google Wallet or Paypal to the account of the attacker.
>
> Besides an attacker could forward some other content like a webpage with
> a new apk necessary for using google-wallet or paypal, like the
> (in)-famous Zitmo Trojan did at visiting a Bankingsite and spending
> users some extra “Security”-Features.
>
> -=Practical abuse of the bug=-
>
> As buying the credit only happens one time per year the attack itself is
> quite uncommon to be practical for a huge misuse as the attacker needs
> to be in control of the wireless or gsm network to intercept and
> redirect the traffic.
>
> -=Affected Versions=-
>
> 2.9.6447 to 2.10.751 (latest as of 2013 July 2)
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Dear Mr. Lux,
Do I undertsand it correctly, that you are capable of re-directing plain
HTTP traffic?
Congratulations... *applause!!!*
Please forgive me my scepsis but even your last report was not fully
impressing.
In the commercial sector and in any SANE company WhatsApp is not allowed....
I could tell you like 7 DoS Exploits against an Telecom V921 Router and
write down an AWESOME blog entry...
but in the end it's kind of useless anyway like your news...
Please do us, and I speak partly for the german community as well, a favour.
POST MORE QUALIFIED things.... or get into vacations soon.
Your purely unqualified statements do dishonor our professional work in
germany and disqualify any german
who is a serious penetration tester. And you made it all because to
market your company. Sorry Marco:
NO.... and I aint the only one thinking so.
Kind regards,
Sebastian Rother
p.s.
Seriously: Was there anybody impressed? It was not even Mr. Lux
himself... but his staff.
That aint a blaming.. just not everything should get made up as "LATEST
NEW SHIT ISSUE AND WE ALL GONNA DIE TOMMOROW" or Marco... *hust*.
I think People like Jericho might angree partly with me, he even
corrected you once, like I did....
Just get into vacanci
--
Name: Sebastian Rother (CEO)
E-Mail: srother@...cenary-security.com
GPG key: 0x7A1C7480
Key fingerprint: FFD0 EF0A 48EB 890A F400 94E5 8D6B B65C 7A1C 7480
Mercenary Security GmbH
Schönhauser Allee 64
10437, Berlin
Germany
Handelsregister: Charlottenburg, Berlin
Handelsregisternummer: HRB 143173 B
Geschäftsführer: Sebastian Rother
Phone: +49 030 50914741
Homepage: https://www.mercenary-security.com/
Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen können Betriebs-
oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen
enthalten. Sollten Sie diese Mail irrtümlich erhalten haben, ist Ihnen
der Status dieser E-Mail bekannt. Bitte benachrichtigen Sie uns in
diesem Fall sofort durch eine Antwortmail und löschen Sie diese E-Mail
nebst etwaigen Anlagen von Ihrem System. Ebenso dürfen Sie diese Mail
oder seine Anlagen nicht kopieren oder an Dritte weitergeben.
Vielen Dank.
Please note: The information contained in this message may be legally
privileged and confidential and protected from disclosure. If the
reader of this message is not the intended recipient, you are hereby
anotified that any unauthorised use, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
Thank You.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists