HackerTrans
TopNewTrendsCommentsPastAskShowJobs

x1sec

no profile record

Submissions

A friend asked me to find out why his lightbulb app was asking for his location

twitter.com
3 points·by x1sec·3 anni fa·0 comments

comments

x1sec
·2 anni fa·discuss
Could you describe the smell?
x1sec
·3 anni fa·discuss
By "extensibility" does this mean the ability to write your own extensions? Being able to develop and contribute plugins back to the community (similar to Burp's BApp store) could really accelerate the competitiveness of Caido up against Burp.
x1sec
·3 anni fa·discuss
Caido[1] a interception proxy written in Rust, is positioning itself as a "lightweight" alternative to Burp. It can't compete yet with Burp in terms of functionality, although the product is certainly looking promising.

Perhaps the only contender to Burp in respect to functionality/features is ZAP[2].

EDIT: You can run your own collaborator type setup with Project discovery's interactsh[3].

Further EDIT: A downvote might be because of the mention of Rust / closed source - this is explicitly mentioned because a large pain point for Burp is it's a Java memory hog. If Caido was written in C++ with Qt, this fact would be notable for the exact same reason.

[1] https://caido.io/

[2] https://www.zaproxy.org/

[3] https://github.com/projectdiscovery/interactsh
x1sec
·3 anni fa·discuss
This is not a new plugin; it (and similar extensions) have been available for Burp and a staple for testers for a few years now.

Automating authorisation checks has less to do with novelty seeking and more to do with the practicalities of ensuring adequate coverage within the assigned engagement time frame.
x1sec
·3 anni fa·discuss
In the Q&A section, the speaker remarks:

"There is a part of the talk where I am trying to perform a little bit.. the thing that I'm also talking about. My background is in art .. and we always try to think about form and content being kind of the same thing.."

Thoroughly entertaining, well executed.
x1sec
·3 anni fa·discuss
Perhaps a physical switch that connects or disconnects the electrical signal from the microphone to the handset could be a more convenient approach.

There is a photo of Mark Zuckerberg with a cut off 3.5mm jack plugged into his laptop - likely to achieve a similar outcome.
x1sec
·3 anni fa·discuss
How frequent?
x1sec
·3 anni fa·discuss
In a week, a lot of data can be exfiltrated. Then after you have rebooted, the threat actor reinfects your device.

Frequently rebooting the device can’t hurt but it likely isn’t going to prevent a threat actor from achieving their objectives.

The best mitigation we have is to enable lockdown mode.
x1sec
·3 anni fa·discuss
A port of the tutorial's Pascal code to C which emits x86 assembly:

https://github.com/lotabout/Let-s-build-a-compiler
x1sec
·3 anni fa·discuss
> Of course it is quite common to need to read it

This is a notable differentiation - Writing assembly is a different skill to reading it from a disassembly. Reverse engineering, malware analysis etc. does not inherently require you to be able to write asm, although it certainly would help.
x1sec
·3 anni fa·discuss
SSID / BSSID is often enough to pinpoint the location. Recently someone debated this with me, so I asked him what his wifi AP name was, then proceeded to provide their home address.

How? By searching it in https://wigle.net.

That ended the debate quite swiftly.
x1sec
·3 anni fa·discuss
Recently having stumbled across the VSCode shellcheck plugin[1] - it's been particularly educational as it provides not only corrections but improvement tips. For example the common practice of:

if [ $? -ne 0 ]; then

Will get flagged and an improvement will be suggested with an explanation on why [2]

[1] https://marketplace.visualstudio.com/items?itemName=timonwon...

[2] https://www.shellcheck.net/wiki/SC2181
x1sec
·3 anni fa·discuss
Cal Newport, the author of 'Deep Work'[1] releases frequent content on Youtube [2] that attempts to address the kind of challenges expressed by the author.

[1] https://www.goodreads.com/en/book/show/25744928

[2] https://www.youtube.com/@CalNewportMedia
x1sec
·3 anni fa·discuss
Pikuma has a 25 hour “NES Programming with 6502 Assembly” that is both accessible to beginners with little to no prior knowledge and being packed with content. [1]

He also has other interesting courses which touch upon “retro” programming in a very accessible manner. [2]

[1] https://pikuma.com/courses/nes-game-programming-tutorial

[2] https://pikuma.com/courses
x1sec
·3 anni fa·discuss
I'm not sure if either of you will read this message - I kept my word and looked into the app

https://twitter.com/haxrob/status/1673874637632196608
x1sec
·3 anni fa·discuss
I'm confused by what you mean here, could you elaborate?

For clarification - you purchase the hardware then you are required to download the phone application. You find this app by scanning the QR code printed on the physical device's box. This app is free. It does not link to a premium version.
x1sec
·3 anni fa·discuss
> The article seems to be suggesting the device itself is gathering data and reporting back covertly ... but I believe it's just the AMap library included by the app developer doing its thing.

If this is the take away, then I need to think about how I have phrased things. The GPS co-ordinates are sent two separate companies:

1) The Bluetooth device developer (bm2.quicklynks.com)

2) AMap (dualstack-cgicol.amap.com)

Looking at the decomplication and HTTP REST messages, it is very clear the app developer is deliberately sending GPS to their servers. They send a JSON object with the battery voltages, bluetooth device address and lat/lng in the same request.

The cell data, wifi beacon data - this is exclusively collected by AMap services and is not apparent without investing significant time reverse engineering their SDK.
x1sec
·3 anni fa·discuss
Hey thanks, Daneel - A bit of accountability always helps!
x1sec
·3 anni fa·discuss
Google do offer Android app developers guidance in this regard:

https://developer.android.com/guide/topics/connectivity/blue...
x1sec
·3 anni fa·discuss
> They will kick you out the store if they detect you're lying about the permission

You have to wonder how long this app never got taken down. Permissions declared in the manifest do not always equate to them being used.

Google could cross reference the privacy statement that the developer published against the manifest. That would have got it flagged.

The actual code that calls android.content.Context.checkCallingOrSelfPermission() obfuscates the permission strings in many places - bypassing static code analysis checks.