Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Sunday August 26 2018, @10:00AM   Printer-friendly
from the black-badge dept.

Submitted via IRC for SoyCow4408

Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text, a researcher has found. The data trove includes name, email, company, and phone number. The BlackHat 2018 conference badge came embedded with a near-field communication (NFC) tag that stored the contact details of the participant, for identification or for vendors to scan for marketing purposes.

A security expert that uses the online moniker NinjaStyle noticed that scanning his badge with an NFC chip reader he could see his real full name in clear text. However, his email address and other information were not available this way. [...] NinjaStyle started prodding the recommended card reader and decompiled its APK in search for potential API endpoints. He found out that BCard created a custom URL using the badge and event identification values of the badge owner, and he determined how the values were built.

"Though we can prove this in the code shown above, I simply guessed that those values corresponded to the eventID and badgeID parameters by sending the request in Firefox. To my surprise, I was able to pull my attendee data completely unauthenticated over this API," writes NinjaStyle in a blog post disclosing the glitch. These details are sufficient to carry out a brute-force attack that collects the contact details of all BlackHat attendees. The researcher used trial and error to discover that the range for the valid ID data was between 100000-999999, so he could start extracting the details. [...] The researcher was able to contact the BCard maker to disclose the security flaw, which was fixed in less than 24 hours by disabling the leaky API because it was a legacy system.

Source: https://www.bleepingcomputer.com/news/security/legacy-system-exposes-contact-info-of-blackhat-2018-attendees/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday August 26 2018, @11:20AM (2 children)

    by Anonymous Coward on Sunday August 26 2018, @11:20AM (#726509)

    How was this data serverd by a "legacy system"? It was for the 2018 conference and I doubt they were using some old Linux 2.x box they had lying around simply out of convenience.

    They "fixed" the bug by taking the "system" (aka the website serving this API) offline. I think they are branding that system "legacy" because the 2018 conference is over.

    Security needs to be the foundation of a system, not a random number between 000000 and 999999.

  • (Score: 4, Insightful) by Anonymous Coward on Sunday August 26 2018, @02:07PM (1 child)

    by Anonymous Coward on Sunday August 26 2018, @02:07PM (#726548)

    I think they are branding that system "legacy" because the 2018 conference is over.

    Clever spin, but that sounds correct.

    This seems a lot like typical IoT products: someone has a "wouldn't it be cool if!" idea and then they do a sloppy implementation. In the end, important security/privacy is compromised while trying to achieve a final result which is nothing more than a gimmick.

    Nobody weighs potential dangers when they are considering their gimmick idea (or the money price they are willing to pay to get it implemented). This is the real problem.

    • (Score: 2, Insightful) by Ethanol-fueled on Sunday August 26 2018, @06:07PM

      by Ethanol-fueled (2792) on Sunday August 26 2018, @06:07PM (#726626) Homepage

      This is the same thing that happens to every major get-together once the rich kids and pretentious tourists take over. The knowledgeable and pure oldheads stop showing up out of disgust, and what you are left with is some phoney overpriced activity for rich kids and other poseurs (who apparently can't design a half-secure widget).

      It happened to Coachella, it happened to Burning Man, and now here we are. I could do better than that with a fucking $10 Arduino Mini.