Of Web Apps, Smartphones and Data Leaks

René Pfeiffer/ October 6, 2011/ High Entropy

Just digging through the backlog of the past days. Someone shot me a quick link to a web site showing an administrative interface. I failed to see the significance right away, because the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. Apparently they found the addresses of Austrian police staff online. The claim is that the data was sitting on a web server and could be downloaded simply by guessing links. Yesterday the Austrian Chamber of Commerce confirmed a data leak covering more than 6.000 data sets of customers (400 of them complete with bank accounting information). The data leak looks like a web server „glitch“, too. AnonAustria referred to Google and pointed out that search engines might have found the data before hackers did.

While it is difficult to gather the exact nature of the data leaks, it is very certain that web servers were involved. It really doesn’t matter if it was just a simple download link (which is worse than an attack on the web server system itself since it can be easily avoided) or an elaborate attack through injection and exploiting web server code. The fact it that somehow critical information was exposed by servers to the web. If you do this intentionally, because you have a portal or some kind of login for a members-only area, then you have to do it right. There’s no switch for enabling security. You have to make sure that your portal and the application(s) you are going to use work and do what they’re supposed to do. The workshops The Art of Exploiting Injection Flaws and Web Hacking – Attacks, Exploits and Defense are recommended for you then.
If you slap web capabilities to your SAP platform, then you might want to consider taking a look at the SAP Security In-Depth workshop.

Speaking of data leaks, I also talked to journalists about smartphones yesterday and today. Given the news about security flaws both in the mobile phone networks and the devices themselves the typical smartphone doesn’t look like a safe place to store data. Rereading the description of the HTClogger logic bomb is a perfect illustration for this claim. Given the capabilities of HTC’s logging suite virtually all interesting data is accessible to rogue applications. Even if you apply conservative permissions to this application (access to the Internet in this case), then you cannot prevent the data leak. Judging from the technical description not even the use of encryption might prevent data leaks (I’d like to see whether apps like TextSecure are accessible from HTClogger tools). The options seem to be limited. Given the complexity of devices there are probably bugs like this one on other gadgets, too. If technology breaks down, then you can always retreat to using polices. The questions is which data will be allowed to stay on the phone risking exposure to bugs, malware and „features“. Most users of smartphones are reluctant to give up habits and convenient ways of dealing with messages, phone calls and other benefits provided by their personal phone assistants.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.