Just to make the story complete... :-) I already informed WaveSecure about the security leak they have on their blog long before i was actually doing any work to prove my case. I told them that there is a leak and they would not even listen.
The discussion is from this thread on their website. However i think they might remove it soon...
UPDATE: i hardly can imagine what happened: ALL MY COMMENTS THAT YOU SEE IN THE THREAD BELOW WERE REMOVED FROM THE THREAD ON THEIR SITE - IT JUST SAYS "COMMENT REMOVED". THIS IS PURE CENSORSHIP.
Watch what happened... and (sadly) enjoy:
ME: hey guys - you said you're fetching the settings from the server automatically upon hard reset. Now what? The phone has been reset - so no user specific data is stored on the phone. How does WaveSecure authenticate to the server? It has no password or other unique data to tell to the server. Does this mean that basically EVERYONE can download that data from your servers? Seems like a big SECURITY LEAK - "download data of everyone from wavesecure servers for free"? Please advise.
REPLY BY WS (PRASHANT): The data is fetched based on the IMEI of the phone. The data we are talking about is the data for the app to work and not your personal data. The personal data can be restored only from within the application which requires you to authenticate yourself with your PIN.
ME: Ok please exactly describe which data will be fetched from the server in that unsecure way. I want to understand this.
ME: No answer - strange. Can you please answer my question: which data will be fetched from the server once the hard reset is done? How will WaveSecure authenticate to the server? I want to make sure that you are not creating a security leak to my phone - please reply.
REPLY BY WS (PRASHANT): I'm not sure why you consider this unsecure. The connection is made over https and only the application knows how to fetch this data from the server using the IMEI of your phone. The data that is fetched is for the application to get activated on the phone so that it can continue to receive commands from the server. Things such as buddy list, PIN hash and internal communication data are fetched. All of this data is encrypted and stored in the database of the application.
Can you provide us with a use case where you think this can be exploited?
ME: Dear Prashast - i think you guys implemented the biggest security hole i can imagine. As you know for sure applications can be reverse engineered. So the algorithm on how to fetch the data can be easily found out. Also the IMEI (your only authentication tag) is known to an attacker. The attacker will implement a small program that will authenticate to the server using your authentication algorithm and the IMEI. The program will then get the PIN hash!! I think WaveSecure will authenticate to the server using the PIN hash to download backup data... so the attacker can then download backup data from the servers just by knowing the IMEI of the phone.
NO REPLY BY WAVESECURE (LEAK STILL OPEN)
OTHER USER: Dear Prashant,
Is it really a security hole ?
Also I was reading http://www.cidway.com/default.asp?PageID=250.
Could you see if the present security mechanism could be improved ?
NO REPLY BY WAVESECURE (LEAK STILL OPEN)
ME: ACTUALLY I WAS RIGHT - WaveSecure HAS a major security leak. And no: the PIN is not transmitted as hash - its PLAIN TEXT. I thought that as there was no reply anymore... :-)
check out http://bit.ly/cF9rKe for more details
LEAK NOW CLOSED... BUT NOT A SINGLE STATEMENT BY THEM. SAD.
So long - i think thats my last post. Got other things to do! :-)
Shocking.
ReplyDeletethanks for uncovering this. it's pretty sad that they don't reply but atleast the leak got closed.
ReplyDelete