←back to thread

Taking over 60k spyware user accounts with SQL injection

(ericdaigle.ca)
232 points mtlynch | 1 comments | 03 Jul 25 14:56 UTC | HN request time: 0.223s | source
Show context
mtlynch ◴[08 Jul 25 16:13 UTC] No.44501414[source]

  sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
  ...
  sqlmap identified the following injection points
This was the wildest part to me. I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability.

>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.

I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.

replies(7): >>44501856 #>>44502507 #>>44502986 #>>44503559 #>>44505103 #>>44506752 #>>44507826 #
sigmoid10 ◴[08 Jul 25 18:08 UTC] No.44502507[source]
>I'd heard of sqlmap but I didn't realize it was so good

The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.

replies(1): >>44504499 #
technion ◴[08 Jul 25 22:09 UTC] No.44504499[source]
Ive always admired hn for bringing me people in very different spaces. Of the development teams I've worked with in the last year pretty much all of them were writing injectable code by default. Ive got an email from an executive in a saas telling me they aren't worried because they geofilter china.
replies(4): >>44504713 #>>44504862 #>>44505518 #>>44507307 #
1. fancyswimtime ◴[08 Jul 25 22:45 UTC] No.44504713[source]
what?