I’m in ur 4sq, snarfin ur password — Part I
Hi, my name is Zach, and I’m a Foursquare user. If you’re not familiar with Foursquare, it’s a location-based social network and game (of sorts). Users “check in” to venues and, based on their activity, unlock “badges” and/or become “mayor” of that particular venue. Opinions of the service aside, I’m here today to highlight some issues pertinent to security (and possibly privacy) discovered in the official Foursquare mobile applications, including those running on the Android, iPhone, and BlackBerry platforms. These findings are, to some degree, part of the larger picture of mobile application security, especially with the <marketspeak> rapid convergence of mobile and web technologies. </marketspeak>
One day, during the course of continuing my Foursquare mayorship of the local bagel shop, I decided I’d go ahead and casually glimpse at what Foursquare was doing on my Android handset. I nohup’ed tcpdump in a terminal session, “checked in” to said bagel shop, and enjoyed my breakfast. Upon returning home, I copied the packet trace from my handset and analyzed it in Wireshark. Amidst the XML flying back and forth between the client and server, I noticed this:
GET /v1/checkins?geohacc=10000.0 HTTP/1.1
User-Agent: com.joelapenna.foursquared 2010011401
Host: api.foursquare.com
Connection: Keep-Alive
Authorization: Basic emFjaEBzb21lLnRsZDpteXBhc3N3b3JkWhat’s troubling here is the “Authorization” header, and the first parameter, “Basic”. In the case of “Basic” authentication, the client typically provides its credentials in the form of a username and password, which are concatenated together, separated by a colon, then encoded using Base64. For example, a username of “jrhacker” and a password of “secret” becomes “jrhacker:secret”. This is then Base64 encoded, resulting in “anJoYWNrZXI6bXlwYXNzd29yZA==”. Of course, Base64 encoding is only that — encoding. Using the Base64 encoded string from snippet above, it’s quick and easy to get credentials:
quine@durandal% echo "emFjaEBzb21lLnRsZDpteXBhc3N3b3Jk" \\
| openssl enc -base64 -d
zach@some.tld:mypasswordSo, effectively, the official Foursquare application for Android utilizes HTTP Basic Authentication over a plaintext transport (HTTP). Attacks against the cellular network notwithstanding, the credentials are still fairly safe so long as they’re not going over WiFi. However, most WiFi enabled handsets will give priority to WiFi connections when they’re enabled, meaning the user’s credentials would be exposed to trivial sniffing attacks. I’ll recreate this simple Foursquare scenario and dive just a bit deeper after the bump.
(Note: image annotations in yellow)
I start by gathering a bit of information about my current connectivity. Only the cellular radio is enabled (WiFi is disabled):
And, after firing up a shell to the device, using the Android Debug Bridge, I verify that rmnet0 (the cell radio adapter), has address information:
Next, I run tcpdump, listening on the rmnet0 interface, and filter for the IP address 174.129.33.12 (which is the address of api.foursquare.com):
Finally, I open up the Foursquare application and login:
Returning to the tcpdump session, I see the Foursquare client using HTTP Basic Authentication (click for larger size):
Once again, the Base64-encoded string is easily decoded:
quine@durandal% echo "ZXZpbHNxdWFyZUBuMHdoZXJlLm9yZzpnb29kdmlzaW9u" \\
| openssl enc -base64 -d
evilsquare@n0where.org:goodvisionAs mentioned previously, WiFi connections are often given priority over cellular connections, so it’s time to verify whether the Foursquare app for Android will follow this logic. First, I enable WiFi and check that I’ve got proper addressing:
Repeating the steps from before, I start up tcpdump, this time listening on tiwlan0, and login to Foursquare:
Inspecting the second tcpdump session, I see that Foursquare gave preference to the WiFi adapter, and, of course, sent credentials using HTTP Basic Auth:
Should this exchange have occurred over a publicly-accessible WiFi network such as a cafe or, say, a hacker con, that Base64-string (and the credentials it’s “hiding”) would be up for grabs. And who knows what sort of venues I’d be checked into after that? <g>
In Part II, I’ll go a bit more into the code side of things, a root cause of this discovery, and remediation.
Post a comment or leave a trackback: Trackback URL.
12 Comments
AWESOME!
Great point, but this is pretty common with many mobile apps, as implementing OAuth in native apps on phones is sort of tricky (even for users): http://techrudite.com/2010/http-basic-in-mobile-a…
I just want to say "WOW" quine. Excellent analysis!
Firoze, thanks for the comment. You're right, OAuth *can* be tricky (and even a "headache" for some developers to implement). And, yes, we've seen a myriad of applications, mobile and otherwise, that implement HTTP basic auth — there was even a big stink about a year ago over TweetDeck using Basic Auth over plaintext HTTP (but everyone still used it). As mentioned in the post, Part 2 will discuss more about some fundamental issues, including OAuth.
"Basic Auth over plaintext HTTP" is really the key here, to me. If they were at least doing this over SSL (which I believe was TweetDeck's solution – switch to SSL, not OAuth), it would mitigate some level of concern until they could take the time to do it the right way with OAuth.
I found a similar issue with the way Squarespace was handling my website’s Admin account password.
I gave them a full report about it last year. Posted about it on my blog. Got so little response from readers and Squarespace that at first I was surprised and then shocked. They really didn’t seam to see that handling user passwords this way, and for that matter website admin user passwords, was any risk and saw no need to resolve the problem. In the end I gave up the call for action and just took steps to protect my own account. If anyone is interested here is the link to my blog that details what I found: http://j.mp/bPScL3
Thanks for the comments Paul. Yes, we've been doing mobile application security work since Intrepidus started.. this is really par for the course. (unfortunately)
We are in the early infant stages of uncovering all the problems. It's not easy because each platform, (windows mobile, rim, iphone, droid, webos, brew, etc…) has it's own API and it's own way of doing things. Then throw in the handsets themselves… even inside the platform not every handset has the capabilities needed to make use of security features. So that forces developers to roll their own solutions — and <emril> BAM! </emril> it's security like it's 1999 all over again. clear-text everything, base64, homemade XOR obfuscation, shared symmetric key on a handset because "no one will ever jailbreak the handset."
Thanks for reading our blog!
-Intrepidus
Great article.
Your code listings are a bit confusingly formatted, because they make it look like the credentials are an argument to openssl rather than something printed by openssl.
For instance, take the first one where you have 'echo "emFjaEBzb21lLnRsZDpteXBhc3N3b3Jk" | openssl enc -base64 -d zach@some.tld:mypassword'. There is no newline after the '-d' and before the 'zach@…', which makes it look like you need to know zach's password to decode the string 'emFja..'. That's misleading — actually, decoding 'emFjaE…' yields 'zach@…'.
So you might want to adjust the formatting.
@anon:
Seems to be a bit of an issue with consistency in that particular custom style we use (for code blocks/snippets). We'll look into it. Thanks for the comment and the heads up!
foursquare.com (the regular website) just transmits both in cleartext…Hurray for security
Just a short comment. You can append a newline so that the output of base64 -d is clean by using && echo. You also don't need to use openssl. So, for example:
$ echo "emFjaEBzb21lLnRsZDpteXBhc3N3b3Jk" | base64 -d && echo
zach@some.tld:mypasswordsome
$
You presume (incorrectly) that command is available on my box :>
3 Trackbacks
[...] This blog post which is making rounds on Twitter tonight highlights a problem with FourSquare, which sounds pretty scary. But if that’s scary, you should see what most of the other APIs look like that mobile apps (including many iPhone and Android apps) use. This problem is a lot more common than people may realize. [...]
[...] I’m in ur 4sq, snarfin ur password — Part I [...]
[...] fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi [...]