Revenge of the Geeks: Hacking Fantasy Sports Sites – Dan Kuykendall

alright thanks so yeah Dan Kuykendall I’m the co CEO and CTO of NT objectives we do web app scanning our product our key product is nto spider and we focus mostly on web apps but we’ve been come down branching out into dealing with mobile so a lot of this talk is really going to be about dealing with a lot of the mobile apps I’m going to blog over at man versus web app com podcast off of there as well so feel free to check that out alright this talk is you know titled the hacking fantasy sports but it’s really much more than that it’s really just kind of about a way of starting to attack a lot of the the newer apps that I’m seeing so we’re going to kind of go a little bit over some mobile hacking 101 when I cover the seven deadly sins and I’ll get into that the and then we’ll do some exam show you some hacks that I’ve actually done against various mobile apps and we’ll wrap it up so the first part of it is just understanding how to do mobile hacking and where to really start what to kind of how you get set up for this one of the things that I really encourage is to look beyond the device in your hand a lot of people are focused on the mobile binaries and you know there’s some you know privacy information there’s some you know local storage issues that they have but by and large I don’t think it’s as interesting as what’s going on behind the scenes usually these apps are talking to a server and that’s really what I want to look at so that’s what we’re going to break down is looking at how to start looking at that traffic what it looks like understanding the session management issues and then start you know doing the hacks so the first is to just get in there and start looking at the traffic one of the best ways that I’ve found is the Wi-Fi pineapple this is a very portable little device and this is the older version the Mach 4 Mach 5 is the one with the two antennas but this little guy is a very portable Wi-Fi hotspot that’s running a little linux platform you could set this up so they’ve got what I’ll do is take this this setup where I’ve got my little Wi-Fi hotspot you know from my mobile network provider take that with my laptop rodenberg proxy hook up the Wi-Fi pineapple and now I can start broadcasting as like ATT Wi-Fi right and start offering real internet access from my device so I’ll sit down and I’ll start I’ll set this up at the mall and turn it on and all of a sudden tons of devices start connecting to me all right because you know you know in the one of the nice features of the Wi-Fi pineapple is cama mode where you can actually set it up to listen for any other connections so if a device is looking for an SSID doing the probes you know looking for their home network whatever it’ll actually respond and say sure that’s me right so you get all kinds of devices connecting to you with the pineapple so that’s a fantastic way to do it very portable to set this all up and a few little Linux you know commands to set up a transparent proxy so you can force all of the traffic through and by the way my slides will be posted there online so if anybody wants those but pretty easy to route all the traffic to my box where I’m running my burb proxy so all the port 80 traffic all the 443 traffic is going through me so I’ll sit down at the mall with this okay and get all these devices connecting and just start sitting there watching and start saving everything that I’m seeing and I’ll go home later and use this data to kind of analyze what’s going on see what sessions I can take over all kinds of stuff we’ll get into that so I’m going to be giving away a few of these Wi-Fi pineapples I think two or three of them so if anybody brings me their card if you don’t have a card write down your name and email address just drop it up off up here either now after the talk and i’ll be giving away a couple of these will draw from a hat kind of thing so when you start looking at the traffic you have to figure out what you’re looking at a lot of these formats are different you know a lot of the lot of us are used to web apps and the standard name equal form name equal value format that we see in the web apps that’s kind of what we’re used to doing you know looking at used to taking that and doing some various attack payloads and you know trying to do standard web security attacks yeah that’s what we’re used to and we’ll still see some of that some of that format but mobile apps we start having a lot of new traffic that’s out

there a lot of new formats will still see the name equal value but you’ll start seeing a lot of JSON traffic rest amf I’m going to get into some of these here but you start to see new formats and you have to start understanding what they are and how to deal with them they’re really not that complicated but you have to get comfortable with them once you get comfortable with them it’s easier to start attacking so JSON is probably the most popular that you’re going to see JSON is kind of like XML and that it could be you can have very nested structures you know we refer to it as the fat free alternative to xml it’s it’s a very lean way of sending the traffic by far the most popular for mobile apps you see this with Ajax apps and when they talk to their backends you see JSON a lot of places originally was created for JavaScript but now it’s just used as a good format normally what you’ll see is like on the bottom here it’s usually one long string that may look you know scary but it’s really easy to understand this up on top i formatted it so it makes it very easy to see how it’s you know it’s a nested data structure and there’s lots of data that can be passed along in their very conveniently so when it gets parsed it’s you know in a nice little you know a multi-dimensional array or a struct or something it’s nice to deal with JSON could be sent in different places you could see it being sent as a you know a parameter to like the standard name equal value and it could pass in the JSON you see it in post data you’ll see it in different in different areas people plug it in ever anywhere but once you kind of look at it and you start getting comfortable with it it’s easy enough to deal with because ultimately you’re still there still parameters that are being passed to the back end so you have rest we hear about rust a lot and restful URLs restful webservices rest is not a specific standard it’s just kind of a style of doing things of making things kind of easy to look at it from a human view and deal with and have programmable usable data in many cases you can see you know restful URLs wake up on top where the parameter that you the directories are actually just parameters you’ll see kind of a mix of it with classic formats you’ll see it sending back XML sometimes it’ll be sending back you know an XML response it could be sending a CSV response the responses can vary you know sometimes you’ll see mixed where you’ll send a classic name equal value pair as your get and you’re going to receive a JSON coming back restful backends can do a number of things you know Google web toolkit Scott its own structure where it’s actually just like value pipe value pipe and then it usually responds with the JSON coming back so all these formats are going to look a little funky its looks a little different than what you’re used to in you know standard web security and you know webhead testing but idea here is just get comfortable with it it’s not too big a deal one of the one of the ones that are is a little little odd is a MF this is the adobe messaging format or ActionScript messaging format so what flash flex apps native our PC format is but the thing that’s nice is there’s decoders in just about any programming language you’re going to need so you know normally you’re gonna have like a web page that’s loading up a swift file and then the Swift file is going to be sending a MF packets and they look very binary so you’ll see these kind of binary objects being passed or these you know serialized objects but they’re decodable even Bert proxy supports it so you can kind of decode those requests see the values modify them you know do a sequel injection it’ll repack an amf request up and hit the back end so it’s easy enough to deal with these things so quick question anybody you know what format this one is no this is JSON there’s a lot of data was just a JSON request this is actually a ban of the banner ad request from words with friends and it’s got a ton of information in there with my little lights going to work but it’s got like what carrier I’m on what type of phone i’m using somewhere in there is the word that i submitted on the board of my plane with words with friends it sends all kinds information so you can even actually have banner ads that would be context sensitive to what you just put on the board but JSON is very convenient for mobile developers because it allows them to spend a lot of data very compactly and a compacted format so when I started looking at the fantasy football app I just wanted to look at okay you know I play fantasy football you guys familiar with fantasy football what it is now one thumbs up so you know

we like it in fantasy football 2 D&D for sports geeks right really not that much different yeah and what you basically do for those that don’t know how this works is usually at the beginning of the season you pick your cast of characters each of the teams kind of take turn take turns picking up players from wherever in the league they want trying to get the best players and then during the season you kind of set your lineup you figure out what you guys are the best on any given week you know once in a while players going to get injured or they’re going to have a bye week it’s kind of like the vacation week so you kind of manage your roster every week to figure out your best guys and then they start playing and usually in a head-to-head matchup against another team and whichever teams players get the most points wins right for that week this is me playing against the denim group I got a hacker league going so I beat them that week I was nice but each player kind of gets points based on how they contribute you know if they’re wide receiver how many passing yards they get and all that sort of thing so it’s important for fantasy football players or fantasy football managers or fantasy baseball there’s all these different fantasy games to kind of set their lineup and get it right and usually we get it wrong and then we make a whole lot of excuses as to why our teams suck that given week all right you know and then we also spend time trash-talking when we do well right so it ends up being very key so I started looking at this and I was figuring out you know I wonder how secure these things are and I started looking at the traffic i looked at the web app itself and it was pretty secure they’re really you know i was doing a lot of the standard attacks i wasn’t really finding anything interesting and i didn’t want to spend a lot of time i’m lazy so i decided to take a look at the mobile app so i’m looking at the mobile app it gives you a lot of the same capabilities i can go in there i can see what’s happening i can modify my line up right from the mobile app so i want to look at how it’s doing that how is it talking to the server so i got my Wi-Fi pana pineapple all set up about everything going start looking at the traffic and what I start seeing is that it’s making these requests and it looks like look at this Q equals update fantasy sports internal all right let’s got some big long string where path what does that look like sequel statement right so I’m like okay that’s cool so I want to start playing with this and I started doing some attacks I didn’t find an easy way to do sequel injection apparently they’re using something called why sequel as Yahoo’s backend and so it was wasn’t easy to do any real good sequel attacks but start looking at what’s it what’s it actually sending what’s the data that’s being sent and that that green string I spread it out it’s just an XML document and it’s got the player IDs number and their position so it shows there’s their starters up there and then they got some guys on the bench guys in the red right so I’m starting to look at that I go okay this is all it’s doing every time I change my roster this is what’s happening so doing that against myself isn’t as fun so I wanted to start understanding more about what’s going on and I start doing an investigation on really what you know how can I mess with other teams kind of knowing this this information what would I do so it kind of led me down a path of understanding how mobile apps communicate and how they manage their sessions and this is really where the seven deadly sins of mobile app session management comes into play I want to understand how do they authenticate users and do this right you know where they do this right what do they do this wrong so I broke this down and basically what you have is one is that you’re you’re trusting the client okay so that’s usually the first step that they do wrong they don’t always require encryption I’m going to go through each of these here when allowing lifetime sessions not keeping secrets allowing repeat requests no curfew on these requests and then failing to prevent altered requests so start looking at kind of were the mistakes they might make first one always is trusting the client okay it always starts here you know people are they build the mobile app and they also build the back end they kind of trust that the traffic would only ever come from that mobile app and that’s where the mistakes always start okay so that’s number one number two is not requiring encryption I see a vast majority of abs are not doing any kind of SSL they’re just running over straight port 80 you know when you’re using a mobile app you have no idea it’s not like a browser where you have that little lock icon that tells you that you’re on a secure site or not there’s no analogous feature in mobile apps all right you’re just left unaware unless you start looking at the traffic

yourself you’ve no clue I also see that a lot of ones that are using ssl do it long and they don’t require a valid certificate so if I’m using burp you know if you’ve used proxy before it has its own ssl cert all right most apps will take the ssl cert from burp just fine they’re not doing any kind of check I’ve seen some that do check and you want to valid sir because it’s a little bit they set and you know when they’re doing dev and a lot of times they’ll turn golf because they want to use their self signed cert but if your man in the middle most of them that are checking the cert and do want to valid sir they don’t do the they don’t check the cert authority they just kind of accept that cert on its word and so they don’t check the serta thority and if your man in the middle you can kind of cheat on some of that unless they’re doing ssl pinning which most are not doing so simple SSL strip type of stuff works really well so and the register actually did their own they have the steads pretty similar results I think they actually think it’s worse than I do but you look at that article if you want so anyway that was number two number three is allowing lifetime sessions mobile apps tend to allow a session to last a very very long time and there’s reason for this you know a lot of you know users just want to click on the little button have the app launch and do what it’s supposed to do they don’t like entering their password every time and the form factor of a mobile device is terrible for entering a password so people don’t like to do it and when they do when they are forced to do so they have really weak passwords so mobile app passwords are pretty bad i also see some apps that are using the wrong type of information to authenticate the user I’ve seen some that will use the imei of the device alright it’s kind of its social security as its social security number it’s you know it’s a little card number to identify that user and that’s a terrible mechanism because those are so easily stolen that you know once i know that it’s open season and i’ll get to one of my hacks later that kind of depend on that and that i found some interesting stuff there so this this not timing out the session is a problem they also don’t keep secrets you know in the web security world we’ve kind of been stuck with the fact that the only data you can really store for really managing a session is like a session cookie you can’t really store any secret data on a browser and so if somebody’s man in the middle and they can see the traffic they can steal the session ID and we’re just kind of like stuck with it right html5 starts to answer some of that we can actually have some local data store stuff that won’t get sent in every request but mobile apps have that inherently they can store data on the client that can be used to assign requests or do things they’re not taking advantage of this so once your man in the middle you can see everything it’s open season right you could steal a session very easily the other thing that we see that they do wrong as they allow repeat request they allow the same request to be sent over and over and there’s not a lot of good reason for this but what they’re not doing is like kind of tracking the request and maybe signing with the knots alright a number used once so that when they send it the server would have a list of all the nonces you’ve used and if it’s one that you’ve used already it would reject the request know that I’ve already got that because again if I could man if I can become man in the middle and I can capture your request and then i can resend it there might be something I can do if it’s actually found this worked with Twitter they’ve recently updated their API but in their old API that was just barely shut down in May okay that old API allowed you don’t track nonces and once I captured a request I could resend it later so if it’s Twitter that’s annoying if I’m just resending the same tweet all right if it’s a banking transfer that’s really cool right that could be a real problem they can resend it and it’s pretty easy to solve by just tracking the nonces keep track and store them on the server okay now when I talk to the guy with Twitter and actually with twitter i was doing this at bsides RSA I was doing life hacking demo and sort of seeing Twitter traffic and I was even able to see their direct messages so you know they’re there they check their direct messages after that I could monitor their direct messages for a good long time so that’s you know that’s not so good for them but they fixed it they’ve changed the way their structure works but anyway nonsense a good solution most aren’t using them the other thing that they don’t do in many cases is time out a request so a given a request I’ve recorded it I’ve maybe stopped it from being sent let’s say I’m man in the middle I prevent it from going forward I want to keep it for

myself I can go ahead and do that and actually see that i can send that request hours or days later and it’s still going to work again if let’s say it was a bank transfer and i held it and then it resent it you know and it’s a created a new one and sent it and got that bank transfer to go i still have this one i can send it later it would still work that’s problematic right there’s reasons that they do this a lot of it is around connectivity mobile apps have to accept that they’re going to lose connection from time to time you know you’re going to be in an elevator or whatnot you’re going to lose connection for whatever reason and so what most do is they’ll hold it in buffer until it gets you know it’s able to go out and they should really time these out and I’ll kind of explain a little bit why but one of the things is if you tie this to the nonce let’s say you say that request is only a valid for an hour okay and if it doesn’t get sent in an hour the app should just regenerate a new request that one should expire and it should regenerate a new one if you do this then your knots is on the server only have to be stored for that at lifetime as well if you know the request is only for an out ballad for an hour i only have to keep an hour’s worth annonces on the server so it kind of saves you some some space they’re so simple time stamping of the request and expiring it very useful to do and then the final thing is preventing altered requests most apps they once they kind of set up their session you know if it’s Twitter and let’s say a Twitter example if I could change the content of the tweet that’s kind of fun right I’m kind of mess around with people that way if it’s a banking transfer and I can change the account it’s transferring to that’s a lot of fun all right and it’s easy enough to tie some of these things together to prevent all of this all right if I were to have that secret token you know let’s say when I set up my login or whatever I do some kind of PK I exchange or even just a randomly generated shared secret between the client and server that never gets transmitted after that initial setup I can then sign everything so I could take my request I can take the user content I can take the nonce the timestamp kind of hash all of that and encrypt it you know with my secret key so now I’ll have a secret hash that only I could have generated because I would be the only one with the secret key right so I could take all of this toss it in my request so you know say I’ve got the session cookie I’ve got the timestamp annonce I got my secret key there’s the content the server could then validate that very easily and make sure that nobody else could have generated that request or altered that request in any way Twitter was doing some of this content hashing so I couldn’t actually change the tweet text but if you do this and you do all seven steps and you’re doing this also over encryption so it’s you know the encryption is solid and then of course you want to make sure you’re doing you know standard like sequel injection protection end up with a very good profile okay so these are the kind of things I recommend for for how apps should be built and how they should verify sessions and verify the user making the request okay I don’t know why it change the formatting all this is weird but so those those seven things kind of the never trusting the client you know using it limit the less the session lifetime itself using secret keys you know user nonce timestamp knees requests put all these together you have a pretty good secure mobile app so then how I got to spin this around right let’s go back to hacking fantasy football what are these seven are they doing or not doing okay I started looking at it so looking at the fact that the sessions last a very long time I never was asked to re-login for an entire season they were not using SSL they had no knots type of activity two no secret key hashing or signing so all I really needed was a session token so again sequel injection wasn’t working but I knew all I know I needed at this point was the session token from another user and then once I did that once I had that I could actually do a lot as them all right I could change their lineup so I wanted to get session token so what I did I waited and I was patient and draft draft time was coming up and so who do you think provided Wi-Fi access on draft day right so I collected all these session tokens and I had everybody’s well one guy he was doing it off his device and yet his own connection but every else I was able to grab their session tokens once I had their session tokens I could do a lot I was them as far as the backend system thought simple session tokens only needed to go in there take their lineup right right

before game starts swap the starters with the bench send it and then they’re screaming and crying and having a fit and they have no idea how this happened all right and it’s just because the the backend was not doing this right I report this to yahoo they have a new app so it was interesting to be on goes the new app actually works the new API is much better uses ssl it it does time out the things but the old API still works so anyway using that old app is still exposing themselves but it’s harder down to steal session tokens because the most people have updated but going through this process of looking at those seven right those seven deadly sins and breaking them down is is what I’ve been spending time with looking at lots of different apps and I found lots of stuff the fantasy football ones a lot of fun but there’s a lot of interesting stuff that I end up seeing as I go through this process as i go through looking at what’s available what can I do with these apps a lot of apps are you not using encryption and then they’re using like basic auth for their authentication right and any of you know basic auth is just like a base64 hash string you know so you just basics t4 decode it and you got it credentials I was able to steal some traffic or some data so my backup pro an address book pro they actually asked you at least my backup pro does it would ask you for a password when you’d open the app all right and so you have to plug in your low password and then app would actually load or show you your data we’re going at the traffic behind the scenes that password is not used for the communication with the server it is just used on the client just to make you think you’re doing something that there’s some kind of security involved behind the scenes it’s actually using static passwords for everybody it was like my backup colon pro when I did the base64 decoding for every request and it was using the imei as the identification for that device so that I collected a bunch of Mei Mei mi is whatever the I collected a whole bunch of those you know I kind of want to do my mall setup and then I just went to my backup pro and just cycled through the list of them that I had and found all kinds of people’s data there’s so many people using that app ridiculous right and there’s really no security involved I was playing words with friends and this is the earlier this is kind of earlier in my process when it’s doing it words with friends is not vulnerable to this anymore but I was able to do word bypass weird verification bypass because they have a request when you submit the word on the board because all familiar with words with friends Scrabble when you put your words on the board it was making a request to do a dictionary look up and see if it was a valid word so i looked at the response you know when i put a valid word and i did another an invalid word and they had different responses so i saved the good response right and then I draw it took all seven letters dropped him on the board intercepted the response put in the good one it accepted it and actually sent it and put it on the board right and I was playing my cousin he’s freaking out all right it’s like calls me up immediately what did you and I won that game so but you know it’s like going in starting to look at this traffic i’m looking at how are they verifying this what are they doing and we’re just friends now they what they did is they combined the request so it’s one request to submit it but what’s actually nice is in the response if you put a word that’s invalid in the response it has a list of words that are close to that that you could use so like it’s like a real suggestion box right there like oh tell me I should have used that one so it’s a good sheet that way i was looking at other apps and you’ll do some standard sequel injection type of attacks too i mean this is associated press’s mobile app so you can monitor the news right and it’s a little restful back-end that would send data to and get a nice little JSON response with all the data that it’s going to show in the app so look at that little count equals 10 think well maybe a little sequel injection attack and sure enough you know getting sequel errors right a lot of this is because the people developing these backends they’re not thinking them as even as you know I mean web developers make this mistake all the time but even more so when it’s it’s done something through an API that really people don’t directly interact with so I see some interesting stuff there how much time I got left how much oh yeah oh Jesus early I’m going

fast bump was an interesting one if you’ve seen this hack MJ keith was the one that found this you guys familiar with bump it’s kind of an older app now but you know it was popular for a while but what bump would do is you know you it basically transfer contact data so you have two phones and let’s say you’re the conference like this and you meet somebody and you say okay well let’s let’s bump so they bump phones and they get each other’s contact information all right so it’s kind of like a way of transferring of you know a vcard so what was interesting about this is it’s not sending phone to phone okay it’s sending to a server and these servers what happens is the two devices they bump they have the event and so they’ll go and send to the bump servers say hey I just got bumped and this is my location and this is the timestamp right and so the bump server will then pair you up based on proximity and time of the bump right so I would match them up and then you’d get each other’s information and you’re good to go well location is sometimes fuzzy right we don’t necessarily GPS isn’t always on on it’s not always accurate sometimes it’s using like an ape you know you know your towers location so there’s some fuzziness so where we noticed in the in the request from each of the devices is it had an accuracy space like one of the values was how accurate those the GPS coordinates were and there wasn’t a lot of boundary conditions there so you know which what we did at that point is I we were looking at the moscone that’s the word the conference center they do RSA conference at so we got the GPS coordinates there and I started sending requests up myself wrote a little perl script that would on my high speed connection at home would just cycle through and say i just got bumped and I would make my accuracy rating like within three miles of the moscone right which is a good space right and I just let it run and what I started seeing is that I would get bumps and I’d get matched up with people and so you have that now it’s like okay what would happen if I respond and with like a bunch of you know error error so i created a vcard that was a stall junk it was all area error what I would do is I would respond with that I would get their information I would have that I’d send back error error now I’d see is they bump again what I’m assuming is they would be sitting there going like what the hell let’s try it again right so now let’s say it is two guys bumped right I will ready took their information I gave them airs back they do it again now I can go and send back each other’s data but I’ve got the stuff here and I can modify anything I want I can change a phone number i can add them delicious link as the company’s URL I can do whatever I want there right there was nothing in bump system that’s I didn’t that’s actually they weren’t storing your contact information on their server they were getting it sent on the moment and and they weren’t verifying clients in any way they weren’t having any requests signing there was nothing but an mg Keith actually took this further he had found a safari bug an old Safari bug from the desktop Safari that still worked on the iOS Safari and was able to get remote shell a link that would you know exploit Safari and actually give him remote shell on the iOS device fantastic right but again it’s just first exploiting these api is because this is our gateway to the mobile client this is our gateway to all kinds of valuable data and lots of fun stuff so the main process here is to start looking right look at these these apps i think the mobile market is really the emerging market I don’t think it’s necessarily on the client side either look beyond that device in your hand it’s really the key start watching the traffic how many of you have been kind of looking at this mobile traffic how many have you been started to test it all right we’ve got a good few hands it’s very easy to do it’s actually a lot of fun to start looking look at your own device start looking at you know connected to a local hot spot you’re a local Wi-Fi and start monitoring the traffic there’s lots to do for you that have been looking at traffic is anybody started hacking apps and seeing this type of thing yet send some fun stuff very cool so again these seven are going to be the key if you want to win a Wi-Fi pineapple will ship it to you I don’t have them on with mommy but we’ll get them shipped to you pretty quickly the next couple days just bringing your card up here and that’s pretty much it if you want to copy my slides I’ve got them posted i’m going to have them posted here i’ll keep this URL up any questions so i guess we go to the question and answer time with regards to authentication what

mechanism would you recommend you know properly using if when you’re building an app like I should write instead of using mdn or imei iccid whatever well I mean a user password type of solution is still fine for that authentication piece of course you want it over SSL and what I recommend is after that you should can also have some kind of key exchange so that the request can be signed in the future but you know standard naming and name and password is fine I don’t see any issue with that by and large it’s just what you do after that when you mean once you’ve established a session how are you going to maintain it and I do see that most mobile apps have very very weak password strength policies and again I understand the form factor of mobile device is terrible for entering a password but you know we’ve got to laxed I think with mobile apps so why you’re testing these apps do you do anything to avoid getting into trouble like you store for all your requests and stuff or just um you know most of it so okay I did talk with legal about my setup you know hanging out with them all with you know an open hotspot and I don’t really have a EULA you’re not any kind of user agreement on the Wi-Fi hotspot and people are connecting to me and I’m giving them real internet access and they’re there the default policy on privacy really doesn’t exist so you know it’s not like i’m joining somebody else’s hotspot and stealing data i mean i’m offering and people are just making you but going in attacking to get individual apps and because that is a little a little risky at times but i do soft touches I’ve been doing this a long time then we have clients that are that have mobile apps that I’ve been testing from our clients these are ones i just found the wild or been testing and then I’ve got some guys on my research team that have better in different countries and they don’t really care so how exactly do you pull that JSON blurb from the beginning the JSON traffic yes well so it’s just about being man-in-the-middle once I’m man-in-the-middle I could sit there you know go back on the like slides quite a bit back up here further back than I thought so kind of setting this up here so what I’ll do is all I can either use a like that the little one in the corner there is my t mobile hotspot but I could have like my laptop hooked hooked into my land and then have the Wi-Fi pineapple hooked up to my computer so now i’m running burp on my computer lets you know it’s running on port 8080 right so the pineapple will be a hot spot so you just take your phone you connect it to the hot spot to the Wi-Fi turn off your mobile data network right so now it’s going to force all traffic through that through the hotspot and what you’ll just start seeing the traffic coming through and burp and so you just go through burp and look at your it you know your proxy log and you have it all their you just fiddle or whatever proxy you want I just I happen to use burp I like it but it’s easy enough to start getting it and you do your own device you know I’ll do a lot of stuff with my own device installing apps you know using it watching the traffic and you know there’s few apps that are not using a web server back-end and so you have to look at the traffic and Wireshark and that’s miserable but you know if you’re if you’re not adverse to hang out in wireshark you can kind of look at traffic there too but most traffic is web two things one because you have this slide up so some of these Wi-Fi services you know once you’ve authenticated you also get all that users emails and things like that I guess good reminder people shouldn’t have their email and their Wi-Fi account be the same account but it is yes yeah the shared password thing all the standard security stuff does come into play and I do see that like when I when I’ve seen credentials being passed I focused mostly on the web stuff because that’s just kind of my own personal interest but yeah if I’m watching Wireshark and I see them connecting to a pop server now I’ve got a password there you know that you know what’s your man in the middle you can do just about anything you want at that point right and by the way on your laptop on the laptop I actually have I’m doing internet connection sharing and you can do that with those or Linux pretty easily so it’s you know it’s an actual router giving real internet access and then I’m just forcing the port 80 and 443 traffic through my burb and I noticed in the fantasy football SQL there was a date

code it could you retro actively after the game change the date to before the game and so to do very well on that one I haven’t tried I’m going to now that’s good idea what battle of storage with grape sugar would Lisa just so hey so we asked on the local device we were going to have like the secret key that you’re in a store on this on the client how would you protect that the authentication tokens host tokens are you talked about like the ssl pinning type of stuff okay so just right so what I’ve seen there’s lots of ways you can solve some of this so if you so you know let’s say once you get in you have your session ID and let’s say over your secret key you can still even the simple thing of just cycling the session token every once in a while everyone someone when it connects you know I mean kind of like a set cookie event that just gives it a new session token so that old traffic is no longer valid and then that’s the date of the interest or on the client I don’t really mess with that too much like how you’re going to store it there that’s really not where I played I there’s and i was looking at listening to a talk earlier they’ve had all kinds of solutions on how to store data securely on the device that other apps can’t get to it make sure it’s in your sandbox space and all that sort of thing and there are hacks that are going to allow you know you to bust out of the sand boxes and stuff so I don’t know how you’re going to do it but you know in that end but that’s the individual client you know I think that’s it’s harder for an app to steal that and you’re only targeting you know an individual client but oh and losing their phones yeah that’s another reason why you want to time out the light you know and ask for the password again every once a while yeah lost device is a real problem and that’s another thing I was like a facebook has a feature where you can go in and see it a list of your active sessions and then you can kill them most apps don’t do that you know you should you should be able to like crap you know a lot it’s like you lose your credit card you can call the credit card company and say get rid of it right kill that account give me a new card but most apps don’t give you that capability so that’s a good point so let’s assume you said about rogue SS pawns and UNICEF atrophic with web series if it is a ssl connection wouldn’t it prompts you for the certificate like the mobile app that you are connecting to a site with a cycle so most apps don’t actually a lot of them haven’t built the interface or not using the the library properly and so that’s what I was saying is a lot of them will accept any certain you know they just want to connect to an ssl connection and they ignore the cert errors and usually it’s because during dev you know they’ve done like a self site insert against their local box or whatever and they didn’t install that cert on to their device they just kind of like turn off the air handling so I see a lot of them just turn off the air handling very few have the dialogue that will pop up very very few so again in that case you can actually pick the ssl connection and then wait that and before you forward that again to the destination right yeah yeah exactly burp will be man in the middle and it’s it’s the ssl server and then the ssl client and in the middle is pure in a plain text so that’s question how do you force that mobile app to talk to you proxy so in this here i’ll just what i did here was like set up the device to force all of the port 80 traffic through my box which is the 172 1642 42 port 8080 that’s where i got burp lining it’s all force traffic through there and i’ll just add another line for destination port 443 and then the whole sudden I got the traffic going into berk but a hell one can go back to slay value showed a bump bump let’s toward the ends let me jump alright just zip through this there you go um so I was really confused here so I will be a man in the middle between two contacting he said no I’m not man in the middle in this one this one all i did was i had my idol perl script running on a high-speed connection that’s going and just saying I got bumped I got bumped I got bumped I got bumped and then if somebody actually does bump I’ll often win both races and I’ll get matched up since the motor

wheels condition yeah okay it’s a race condition problem and you know and then I can end up getting in there any other questions were able to find any parameter of vulnerability that could possibly allow the 49ers to overtake the Seahawks early that seems impossible at this way it does seem impossible at this point you know and we’re hoping we get to the playoffs but you know I was and I figured while I’m in New York I’m gonna go grab a you know the other Giants or a jet shirt but I just couldn’t bring myself to put one of those on so I’m California guy i’m going to just stick with it anything else all right well thank you all then thank you