Wednesday, July 28, 2010

The Irony - Black Hat Video Stream Hack

 Free access to the Black Hat Video Stream? Yep, that was the case.  Read on for the whole story.

I was unable to attend Black Hat in person this year. Instead, I decided I would closely monitor twitter, blogs and the Black Hat page itself to stay up to date. In this process I noticed the new "Black Hat Uplink" service that would allow remote individuals access to streaming Black Hat talks from two select tracks. Great! Now I could watch some talks even though I wasn't there. This sounded perfect and I began the registration process.

However, during registration I was quickly sidetracked by a few oddities in the design. Long story short, I identified a series of flaws that would enable the creation of an account with only providing an email address (e.g. no name, address, phone etc) and I was never asked to enter any credit card data.  Odd I thought, perhaps you enter the credit card info upon your first login.  The only problem was that I didn't actually have a registration email with a link to the login page.  A few select Google searches and I ended up on a relatively vanilla looking login page.  I have a username and a key, let's give it a shot.  To my surprise the login was accepted and I was now sitting in front of the live Black Hat video stream.

This is certainly not the intended outcome of the registration app. I was never prompted to enter my credit card number. Black Hat is charging $395 for access to these streams and would not be pleased to find out that its possible to create an account for free.  Clearly my non-standard path through the registration app had identified a few key security flaws in their design.

Now, to be fair, Black Hat didn't operate this video service themselves. They used a third party for the video application.   But its still a bit ironic that the largest hacking conference in the world had this security hole in their video streaming service.

Screen Shots

Disclosure

You are hearing about this vulnerability because the identified flaw has already been fixed.  The disclosure debate is full of pros and cons, but my approach was to first attempt to get in touch with the system owners and give them reasonable time to address the issue.  The first problem was figuring out who to talk to.  A call to the Black Hat phone # went to voicemail (figures they are a bit busy) and my emails went unanswered.

I turned to twitter to find an answer.  I sent a few select tweets (@_mwc) asking for assistance and used the #blackhatusa tag too. Within 30 minutes the company in charge of the video app was messaging me directly. Another 30 minutes and I was on the phone with the person in charge. Not a bad response time.

From there we discussed the issue and I sent over my notes on how to recreate the "free" user. I was assured that this information would go straight to their developers and was of the highest priority. They weren't kidding, within 4 hours the issue was fixed and deployed live.

Overall Thoughts
  • Even the most security aware organization (BlackHat) can suffer security breaches. Systems are large and complex and adding in third party vendor systems can introduce new security weaknesses.
  • Any enterprise leveraging third party services must either validate the security of these service themselves or review the security reports provided by another qualified security organization.
  • Responsible / intelligent disclosure can work. In this case the company was responsive to the issue and eager to address the security concern
  • Security researchers enjoy working with companies that also care about security. I wanted to give the company a fair chance to fix the issue.  The ability to talk to someone with 1 hour of reporting the issue was very encouraging. Had things not gone so well I imagine I would be writing a very different blog post at this hour.

The actual vulnerability


A combination of logic flaws and misconfigured systems which provided access to a testing login page that could be used with user credentials that were not fully "registered" (e.g. no payment received).  I have a more detailed walk through of the vulnerability which I may release/present in the future.

-Michael Coates

16 comments:

  1. Nice work! I might have been tempted to engage in "delayed disclosure" given the same situation ;)

    ReplyDelete
  2. How did it turn out after everyone was alerted? Did they punt ya or make you pay?

    ReplyDelete
  3. They ended up removing the "test" account and providing an actual account as a thanks for alerting them to the situation.

    I was pleased with their response and handling of the issue.

    ReplyDelete
  4. Nice, looking forward the details

    ReplyDelete
  5. Someone there, who used this flaw, or were there other flaws? Someone who ripped all streams and torrented them?
    I'd like to watch some of the presentations. The streams of the CCC (Chaos Communication Congress - annual hacker congress organized by the Chaos Computer Club in Germany) are free of charge :).

    ReplyDelete
  6. Michael,

    Thanks for bringing this to the attention of Black Hat and INXPO. You are correct on the root cause - a mis-configured login page (used for testing purposes) that should not have been made available.

    Thanks to responsible individuals like yourself, Black Hat and INXPO were able to quickly address the issue.

    Dennis Shiao
    Director of Product Marketing, INXPO
    dshiao@inxpo.com

    ReplyDelete
  7. per custom policy for Black Hat, I am glad that you were rewarded for find a flaw!

    ReplyDelete
  8. Good job dude! What a really great story and example of how easy it is to access a Website just by putting your thinking cap on and taking some educated guesses. This is a good lesson for everyone. Enlisting the help of some ethical hackers would probably have identified this issue long ago.

    ReplyDelete
  9. Good idea to give him free access to the streams. If he noticed anything else odd in the interface, they have reason to expect that he'd report it.

    ReplyDelete
  10. Micheal,

    Good job on discovering this ironic hole. I also like how you handled the disclosure in a responsible way (and how the "vendor" implemented the fix within hours)

    In the end everybody wins.
    Kudos to them for letting you watch the remainder free :)

    Regards,

    Barry

    ReplyDelete
  11. Way to go, the course of action you took is an example of the integrity in the Information Security commmunity that doesn't get much attention. Too often the story is look what I did, not what I can do to improve the situation. The motivation for someone to just keep using the vulnerability, is likely to be rooted in the confidence that they will simply get away with it. And that's one frustration I have these days with being able to get a response from the "webmaster" e-Mail or via the Contact Us tabs that are SOP for websites. Always test the 3rd party's response to e-Mail's / contact us addresses and support phone numbers when auditing. Amazing how many don't have a monitored mailbox or have typo's / unanswered lines.

    ReplyDelete
  12. I am very much interested in these types of stories to get the all back hat video stream hack stories. I have read your story with great interest.

    ReplyDelete
  13. How comes that you have to pay this much for the streams considering fundamental hacker ethics?

    ReplyDelete
  14. What the heck man?!?! You should not post everything that you know on the Internet....idiot

    ReplyDelete
  15. @Barry & @Anonymous (9:35am)
    Thanks. A big component of how I decided to handle this was related to disclosure. There is a big push to better define the right way of handling security vulnerabilities. I hope this situation can be used as a positive example for that discussion.

    @Debt
    I didn't record or publish the streams. That would be contrary to the whole idea of handling this issue responsibly.

    @Anonymous (8:00pm)
    The price of the streams and the price of conference attendance is handled by Black Hat. There is plenty of great free security guidance online. Try owasp.org

    @Anonymous (3:52pm)
    Sorry to see you disagreed with how this incident was reported. However, the only people that would have lost out here are those that were already using the stream without paying.

    ReplyDelete

Note: Only a member of this blog may post a comment.