←back to thread

Taking over 60k spyware user accounts with SQL injection

(ericdaigle.ca)
229 points mtlynch | 1 comments | 03 Jul 25 14:56 UTC | HN request time: 0.253s | source
Show context
mtlynch ◴[08 Jul 25 16:13 UTC] No.44501414[source]

  sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
  ...
  sqlmap identified the following injection points
This was the wildest part to me. I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability.

>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.

I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.

replies(7): >>44501856 #>>44502507 #>>44502986 #>>44503559 #>>44505103 #>>44506752 #>>44507826 #
1. tonyhart7 ◴[09 Jul 25 09:12 UTC] No.44507826[source]
this php webserver, its no wonder