Monday, 28 October 2013

My take on Unofficial Spotify access (Under 5 minutes and without tunnel)

Well, after avoiding spotify for almost a year, the day arrived when I finally had to have spotify access (Dont ask why). That posed a serious problem as spotify hasnt yet launched in this part of the world. So what do I do. Of course "Google". Quite naturally all the solutions provided, asked you to install some form of proxy/tunnel/vpn service. The solutions might work but such 90% of such free software are malware and I was not in a mood to pay. So some digging:
  1. You only need to be able to sign up for spotify from some country like US/UK. Beyond that works like a charm
  2. redirects you to the international page. So tried replacing "int" in the url with "us" and it worked :) Dont know why spotify hasnt blocked this page. Anyways so far so good
  3. Now I tried signing up but it failed as expected. But here is the trick, on opening the network tab, i see a single signup call to register. So if you make the same call from a US IP, you are set :)

Detailed steps (For spoofed US access):

2. Hit F12. This will bring up your developer tools (for FF firebug console will popup. Click on the net tab and click enable)
3. Come back to the main window. Click on "Log In"
4. On the bottom right corner of the login form click "signup"

5. Click "Sign up with your email address"
6. Fill up the form and click "Sign Up". Spotify will say "Spotify is not available in your country". No worries :) Go back to the developer tools window. Click on Network tab. Look for the last call (something called signup-for-spotify.php). Right click on it and click "Copy as curl". paste it in a text editor.

7. Now, ssh to a US based linux box(List of free shells). Run that curl command that you copied and you should see a message like:
8. Download spotify from Install and login using the above credentials. Enjoy :)

Sunday, 12 May 2013

Craziest deal in town

"There are just some things that the universe wants out there"
                                                                                                     - A close friend

   It is amazing how most people think that cyber security involves "firewalls", "encryption", "complex algorithms" and all other jargon that pop-culture has driven into our imagination. While most of it true for top notch systems, the weakest link in the chain is usually a careless human being. A careless typecast or a missed sanitation and BAM! your doors are wide open to the dark evil things of the internet.

Enough said, case in point:

Take a sample search url from groupon:

Which is a valid url and displays the following:

Now add a single quote at the end:'

And voila!, the webpage belches out the entire source code as response with analysis:

      Snapshot taken at 5.40 AM, 5/13/2013
   Apparently, The exception is thrown for any unrecognized parameter, so its not a sanity check, rather a null check. So important lessons:
  1. Do not print error stack-traces
  2. Do not print error stack-traces to the response of a web request
  3. Have a global handler for catching and filtering any exceptions
  4. Please do not write ugly code (Not security related, but in the off-chance that you do get caught with your pants down and your source code all over the internet, at least people wont judge you for sloppiness)
     Another major hole that I found in the short time that I poked around - Password reset urls are sent to you with "http", So um any friendly neighborhood script kiddie sniffing packets would have your password as you reset them. So you might ask him if you forget your password next time. #FAIL

     It is a shame that a company like Groupon that has deep engineering roots could have such gaping holes. Re-iterating what I said before, even before you go onto installing state of the art security, please have your developers write responsible code and I dont know maybe do some QA :)

    Fortunately, I could not find the same vulnerabilities in Groupon's main website, maybe the Indian site  doesn't use the same source code. I wonder why? Groupon's already treading troubled waters for quite some time now. Engineering mishaps like these will surely not bolster any support. Hope they find a new CEO soon and oh yeah, fix these too.

UPDATE: Folks at Groupon have finally take notice it seems. They have fixed for the particular url pattern that i have posted but sloppy again because any other random string still gets a "500 Internal Server Error"

 - 3:19 PM 5/13/2013

DISCLAIMER: This was not a targeted attempt to breach security, more an accidental stumble. The intent of the post is to bring into notice this glaring security holes and not to encourage any malicious activities. A mail was been sent to Groupon before this post was published.

CREDITS: To another friend who actually sent me a deal ;)