So they found a hard-coded API token and no further user authentication to limit the requests. This is obviously a common rookie mistake (didn't Facebook, Snapchat, Instagram all fall for this at some point?) and security software particularly should not have such a basic vulnerability, but I do think TFA veers past security writeup into editorial when they start critiquing the cost/pricing and calling for customers to drop the software, particularly since the vendor was responsive to the report.<p>It seems like maybe the vendor's communication trailed off toward the end leaving OP with bad feelings which show up in the write-up.<p>Generally I like to see security research and vulnerabilities reported as a way to document the process used and experience gained, but not to skewer the company except with respect to their responsiveness of a patch.<p>Of course, everyone here is free to skewer the app as much as they like, I just don't like reading it in the actual write-up.
Montana TV station EAS system hacked a few years a go [1]. While I applaud for the humor, I am still in awe of how little attention this Orson Welles(ish) episode got.<p>[1]: <a href="https://www.youtube.com/watch?v=TQWtqJylMKQ" rel="nofollow">https://www.youtube.com/watch?v=TQWtqJylMKQ</a>
This discovery and write-up was an awesome read but I do disagree on the price critique. 70K seems relatively inexpensive for deployment of an app at a state level, let alone development of an app. Proof of Concept, perhaps but what does a full security audit cost these days? If anything I would be concerned that the budget did not include those kinds of factors and should have cost a bit more :)<p>This article does lead me to wonder if Rave has missed an opportunity - installation of an app on Crestron / Andoird room automation systems that accomplish similar things. That would take the mobile component out but still have a benefit from a facilities / awareness perspective.
The author says that $70k seems a lot to build the app.<p>I don't know how long it took, but depending on the size of the team etc, it sounds pretty cheap TBH - certainly not enough $ there to make something secure and supported.
Interesting technical detail but for me the main takeaway from that was that we're still seeing expensive software systems ($70k per customer) being procured by large numbers of organizations (~2000 customers) to do safety critical work, and still none of them are mandating security reviews as part of the procurement process (or indeed requiring the vendor to have had a review done).<p>The vulns found here are serious, but any moderately detailed app security review should/would have found them.<p>Until customers start requiring security reviews for the software their buying we'll see a load more insecure apps being sold.
Hey, good find but I'm a little confused. It appears that you found what could be a serious issue if no other checks are in place; however, in doing so you appear to have exceeded the access you were provided through the application to their back-end system. Did this fall under a bug bounty program where you had permission to do this or did the company give you written permission? I was looking for a bug bounty program and couldn't find one.<p>I ask because it looks like you were performing testing which touched their infrastructure, not just your phone and the US Computer Fraud and Abuse act gets pretty scary (Felony scary) when it comes to such things:<p><a href="https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act" rel="nofollow">https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act</a><p>I do a ton of mobile application reviews and find stuff like this quite often but back away at the point I start touching their infrastructure rather than just my phone.
> In order to confirm this suspicion, I decided to proxy my phone’s traffic and attempt registering with the app using dummy phone values.<p>Am I wrong in assuming that being able to proxy the app's HTTPS traffic is evidence of another security problem, specifically that the app is not validating the server's SSL certificate?
Great snooping, and an awesome writeup! As the author points out, organizations should be wary of security even when the developer/publisher claims that it's secure.