Wednesday, July 28, 2010

The Irony - Black Hat Video Stream Hack

 Free access to the Black Hat Video Stream? Yep, that was the case.  Read on for the whole story.

I was unable to attend Black Hat in person this year. Instead, I decided I would closely monitor twitter, blogs and the Black Hat page itself to stay up to date. In this process I noticed the new "Black Hat Uplink" service that would allow remote individuals access to streaming Black Hat talks from two select tracks. Great! Now I could watch some talks even though I wasn't there. This sounded perfect and I began the registration process.

However, during registration I was quickly sidetracked by a few oddities in the design. Long story short, I identified a series of flaws that would enable the creation of an account with only providing an email address (e.g. no name, address, phone etc) and I was never asked to enter any credit card data.  Odd I thought, perhaps you enter the credit card info upon your first login.  The only problem was that I didn't actually have a registration email with a link to the login page.  A few select Google searches and I ended up on a relatively vanilla looking login page.  I have a username and a key, let's give it a shot.  To my surprise the login was accepted and I was now sitting in front of the live Black Hat video stream.

This is certainly not the intended outcome of the registration app. I was never prompted to enter my credit card number. Black Hat is charging $395 for access to these streams and would not be pleased to find out that its possible to create an account for free.  Clearly my non-standard path through the registration app had identified a few key security flaws in their design.

Now, to be fair, Black Hat didn't operate this video service themselves. They used a third party for the video application.   But its still a bit ironic that the largest hacking conference in the world had this security hole in their video streaming service.

Screen Shots


You are hearing about this vulnerability because the identified flaw has already been fixed.  The disclosure debate is full of pros and cons, but my approach was to first attempt to get in touch with the system owners and give them reasonable time to address the issue.  The first problem was figuring out who to talk to.  A call to the Black Hat phone # went to voicemail (figures they are a bit busy) and my emails went unanswered.

I turned to twitter to find an answer.  I sent a few select tweets (@_mwc) asking for assistance and used the #blackhatusa tag too. Within 30 minutes the company in charge of the video app was messaging me directly. Another 30 minutes and I was on the phone with the person in charge. Not a bad response time.

From there we discussed the issue and I sent over my notes on how to recreate the "free" user. I was assured that this information would go straight to their developers and was of the highest priority. They weren't kidding, within 4 hours the issue was fixed and deployed live.

Overall Thoughts
  • Even the most security aware organization (BlackHat) can suffer security breaches. Systems are large and complex and adding in third party vendor systems can introduce new security weaknesses.
  • Any enterprise leveraging third party services must either validate the security of these service themselves or review the security reports provided by another qualified security organization.
  • Responsible / intelligent disclosure can work. In this case the company was responsive to the issue and eager to address the security concern
  • Security researchers enjoy working with companies that also care about security. I wanted to give the company a fair chance to fix the issue.  The ability to talk to someone with 1 hour of reporting the issue was very encouraging. Had things not gone so well I imagine I would be writing a very different blog post at this hour.

The actual vulnerability

A combination of logic flaws and misconfigured systems which provided access to a testing login page that could be used with user credentials that were not fully "registered" (e.g. no payment received).  I have a more detailed walk through of the vulnerability which I may release/present in the future.

-Michael Coates