23. You’ll Always Be MyBB
Here are a few highlights from each article we discussed:
- Bluetooth is a widely used protocol for data exchange on electronic devices. Devices like your smartphone & laptop. All types of accessories are used for pairing with bluetooth that you use everyday: headphones, input devices are the most common. And that’s all done over really short range radio.
- The Bluetooth protocol is effectively managed by the “Bluetooth Special Interest Group” which is a conglomerate of over 30k companies from various tech companies.
- The Bluetooth SIG really oversees the standards that 3rd party companies must meet to be Bluetooth qualified.
- The KNOB attack is one of those attacks that I’m surprised took as long as it did to come out. During the Bluetooth pairing process two devices negotiate encryption keys to protect communications from being sniffed/snooped on. The issue, though, is that the key negotiation protocol apparently doesn’t have any integrity checks built into it. That means it’s possible that an attacker can manipulate the key negotiation process to have the encryption key entropy or “randomness” to a single byte. That means it’s trivial to brute force all the possible encryption keys.
- It’s a downgrade attack, that’s kind of reminiscent of the POODLE ssl 3.0.
- To carry out the attack a couple things have to occur:
- Two devices need to be vulnerable to KNOB.
- Two devices must be establishing an actual pairing session, existing sessions aren’t vulnerable.
- An attacker has to be able to be in close range and use a device to manipulate Bluetooth traffic, like an UbertoothOne.
- It’s a pretty bad vulnerability on paper. An attacker can theoretically read/write data going over the Bluetooth protocol. Worst case scenario is an attacker intercepting your conversation that happens over your Bluetooth paired headphones.
- According to the researchers that disclosed KNOB, if your device wasn’t updated in late 2018 then it’s likely vulnerable.
- It sounds like this incident came to light via social media – users started posting on Reddit and Twitter saying they noticed they were able to see various levels of information for other users.
- Some users said upon refresh they could see the entire credit report for another user, while others were saying that some of the credit information was mismatched but they couldn’t see a name or any other personal information other than credit information.
- Credit Karma has not come out yet to say what caused the issue. One Reddit user questioned if it was only occurring on mobile, and if so, said it was reminiscent of the Chase mobile protocol bug from 2018. However other commenters pointed out they had experienced the error on desktop, which means it was not just a mobile error. It could be an issue with session authentication, meaning the website returned other sessions when refreshing, etc. I think it’s certainly true that it was a technical malfunction in the sense that this was most likely not a malicious thing or a bad actor causing this to happen, but rather something wrong with the website. Of course that does not mean it can’t be exploited by threat actors once it was known. For a brief while Credit Karma was down after users reported this error, but is back up now. Hopefully Credit Karma is open about this error so that users can find out what happened and other sites/companies can verify they don’t have a similar error.
- Users on social media were reporting a wide variety of information being leaked. The Reddit user who actually started the thread about the breach (on the Churning subreddit) said he was able to view someone else’s entire credit report. He actually had enough information about the person to reach out to them via LinkedIn and notify them of the breach. Meanwhile, some other users saw a lot less information – just the credit score or some of the credit information was wrong, while the personal information was still correct. One user noted it was like playing “roulette” – each time he refreshed, he got a different user’s data (and a different amount of it). And some users reported not seeing the error at all. So it was a pretty mixed bag.
- Credit Karma came out and said the malfunction/breach affected only about 0.5% of Credit Karma customers, or about 1000-2000 instances of information being exposed, but we’ll see if that number changes in the coming weeks as they continue their investigation.
- Credit Karma responded pretty quickly to clarify that it was a “technical malfunction” and not a breach, which is a bit of clever and misleading wordplay in my opinion. If another person had access to your credit information, it’s a bit glib to call it a “glitch.” They said they will be notifying anyone who has been impacted.
- There are two decently popular forums Cracked.to and Raidforums are involved here. These two forums have a huge Venn diagram of similarity: mainly around hacking services, tutorials and tools for sale. Some sort of feud.
- Cracked.to forums got popped, and it sounds like the Raidforums crew are taking responsibility for it. The interesting thing is that Cracked.to forums are built MyBB, which is an open source bulletin board system built on PHP.
- PHP and vulnerabilities go hand-in-hand like peanut butter and jelly. I was digging on my exploit sources, and there are a good amount of weaponized RCE and SQL injection exploits available against relatively new versions of MyBB.
- Remember, attackers make all kinds of horrible security decisions just like the rest of us. They, too, forget to patch. Or use strong hashing algorithms on their passwords.
- According to HaveIBeenPwned:
- Compromised accounts: 749,161
- Compromised data: Email addresses, IP addresses, Passwords stored as bcrypt hashes, Private messages, and Usernames.
- Ars Technica reviewed a 2.11 gigabyte file published by Raidforums and found it contained nearly 397,000 private messages. The details included the usernames, email addresses, and IP addresses of people seeking to buy, sell, or support software or services for cracking accounts for popular video game Fortnite.
- One admin from Cracked.to made the claim that someone they knew had access to forum backup Databases. The old database itself had a weak hashing algorithm applied to it (MD5), which made the passwords trivial to crack. A couple months ago the staff switched the DB to salted bcrypt, which is really strong.
- What’s super interesting is one of the staff members of Cracked.To said there’d be “consequences” against RaidForums but since took down that comment. I think we can fully expect some form retaliation though.
This Week’s Hoodie/Goodie Scale
This Bluetooth Vulnerability Bytes
[Emily]: 4/10 Hoodies
[Tarik]: 6/10 Hoodies
Karma is a Breach
[Emily]: 5/10 Hoodies
[Tarik]: 5/10 Hoodies
Raidforums Cracked More Than a Joke
[Emily]: 1/10 Hoodie
[Tarik]: 8/10 Apple Fritters
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!