Showing posts with label Privacy. Show all posts
Showing posts with label Privacy. Show all posts

Thursday 11 February 2021

The "P" in Telegram stands for Privacy

Summary: While understanding the implementation of various security and privacy measures in telegram, I identified that telegram fails again in terms of handling the users data. My initial study started with understanding how self-destructing messages work in the secret chats option, telegram says that "The clock starts ticking the moment the message is displayed on the recipient's screen (gets two check marks). As soon as the time runs out, the message disappears from both devices.
Telegram which has 500 million active users suffers from a logical bug exists in telegram for macOS (7.3 (211334) Stable) which stores the local copy of received message (audio/video) on a custom path even after those messages are deleted/disappeared from the secret chat.

Technical analysis: Open telegram for macOS, send a recorded audio/video message in normal chat, the application leaks the sandbox path where the recorded message is stored in ".mp4" file.

In my case the path was (/var/folders/x7/khjtxvbn0lzgjyy9xzc18z100000gn/T/). While performing the same task under secret chat option the MediaResourceData(path://) URI was not leaked but the recorded audio/video message still gets stored on the above path.

In the video proof-of-concept the user receives a self-destructed message in the secret chat option, which gets stored even after the message is self-destructed.
Bonus: The above mentioned version of telegram for macOS stores local passcode in plain text, below is the video proof-of-concept.

Both the vulnerabilities was patched in version 7.4 (212543) Stable and 3000 EURO bounty was awarded. In past I've identified multiple vulnerabilities under Telegram you can read them here. Later today Fri 12 Feb 12:15 PM, CVE-2021-27204 & CVE-2021-27205 was assigned. What next?

Monday 9 September 2019

Telegram addresses another privacy issue

Summary: This is not a security vulnerability its a privacy issue. As I understand Telegram a messaging app focuses on privacy which has over 10,00,00,000+  downloads in Playstore. In this case, we are abusing a well-known feature of deleting messages, which allows users to delete messages sent by mistake or genuinely to any recipient. It was observed that once the message (image) is sent to the recipient, it still remains in the internal storage of the user which is located at  `/Telegram/Telegram Images/`path.

Technical analysis: I found this bug when I was researching about Telegram and MTProto protocol. To demonstrate this bug let's assume two people here, Bob and Alice.

Assume a scenario where Bob sends a message which is a confidential image and was mistakenly sent to Alice, Bob proceeds to utilize a feature of Telegram known as "Also delete for Alice" which would essentially delete the message for Alice. Apparently, this feature does not work as intended, as Alice would still be able to see the image stored under `/Telegram/Telegram Images/` folder, concluding that the feature only deletes the image from the chat window.

The highlighted issue is valid when we talk about Telegram "supergroups" as well, assume a case wherein you're a part of a group with 2,000,00 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete, by checking "delete for all members" present in the group. You're relying on a functionality that is broken since your file would still be present in storage for all users.
Aside from this, I found that since Telegram takes `read/write/modify` permission of the USB storage which technically means the confidential photo should have been deleted from Alice's device or storage.

Comparison: A compete, app for Telegram which is WhatsApp also has the same feature to "Delete for everyone". If you perform the following steps mentioned above in WhatsApp it deletes the confidential photo from Alice's `/Whatsapp/Whatsapp Media/Whatsapp Images/` folder and maintains the privacy however Telegram fails. WhatsApp takes the same permission when it comes to storage which is `read/write/modify`.

This issue could have a bigger impact and I am not sure how far this was in place; the word privacy of Telegram fails here again, and users trust against the Telegram is at risk.

Video PoC:

Affected version: I have tried this with the latest stable version (5.10.0 (1684)) of Telegram for Android. I haven't tried this with Telegram for iOS and Telegram for Windows but assuming this issue would exist on other these platforms.

Responsible disclosure: I submitted this to Telegram sec-team via security[at]telegram[dot]org and a fix was pushed in the latest version of Telegram 5.11. Also €2,500 was awarded by Telegram.

Other Workaround: The alternative solution would be to utilize the feature of "New Secret Chat" in Telegram where no such traces are left.

References: Picture used above credit and source[1]. Download the PDF version of this article[2]. Later CVE-2019-16248 was assigned to this issue.

Thursday 9 August 2018

A bug that affects million users - Kaspersky VPN

Hi Internet,

The issue exists in Kaspersky VPN <=v1.4.0.216  which leaks your DNS Address even after you're connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks ?
In this context, with "DNS leak" it means an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in android market, however it was observed that when it connects to any random virtual server still leaks your actual DNS address, this issue was reported too Kaspersky via Hackerone.

Steps to reproduce:
1. Visit IPleak (Note your actual DNS address).
2. Now, connect to any random virtual server using Kaspersky VPN.
3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

I believe this leaks the trace's of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.

“Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.

The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhiraj under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe."

However, this was featured on TheRegister and BleepingComputer.


Saturday 28 April 2018

Facebook, Friend or Evil ?

Hi Internet,

During checkout from faasos, I observed that their are several request going to facebook, which carries your faasos detail's without user's consent, Facebook closed my report saying "Unfortunately what you have described is not currently covered by this program, We will follow up with you regarding any questions we may have." (Data Abuse BBP).
Img Src:
So, lets get started,
You will be aware with the "Cambridge Analytica" case of Facebook,  and after that Facebook launched "Data Abuse Bounty Program" - 9th April 2018.

Well, we all are aware that we have been tracked from years! Whatever we search on the Internet no matter what object it is, in a day or hours it will be on your suggestion or any advertisement banner.

This is the most recent example : Google is always listening: Live Test

I really love eating veg warps from faasos and it was normal day when I did checkout and ordered few of them, however I have a very bad habit of capturing packets.

What I observed was, there were few `GET` & `POST` request of facebook as well in between checkout of faasos at that time I didn't pay much attention on it. On same day, I created a test account on faasos to dig more and clicked on some random wraps, went till checkout and guess what I was still able to see those Facebook request.

I cleared all my history, cookies etc. for the entire day, and thought of doing again, All the request start from login to faasos, and browsing your items in it.

Goes only to `*` based asset but as soon as you press checkout a `GET` request goes to Facebook which carries my juicy information of faasos which also include my ordering details.(Strange) Apart from that, I start getting suggestion on my facebook wall regarding faasos.

Okay, then I thought of reporting it to Facebook under Data Abuse Bounty Program and we had a long discussion about this, they(Facebook Security Team) also told me to connect with Faasos Security team and I did the same.

However Faasos security team are not much active but they finally replied me after 4-5 days saying
"Hey Dhiraj, This tool helps us understand customer better and show them more appropriate adverts."

I asked them specifically about tool and where it is been deployed and what all it collects - No reply yet, that's bad I "personally"  feel Faasos been a data-broker over here. While collecting such info Faasos don't even take user's consent. I have seen many application's which take users consent for such things.
The image might not be clear please visit :
And they also offer you to Opt-out from not been track. Pheewww! Now, I understand how all these things work!
That gives lot more understanding of my bug as well, or specifically look the above video from 3.47.25 to 3.51.40 Mins.

On safer side, I would suggest you to enable "Do Not Track Me" on your browser.
Video PoC of my Bug: Facebook Tracking PoC via Faasos.  I hope you like the read. Tweet me your views @mishradhiraj_