Full Disclosure mailing list archives
Readdle: User traking (device UUID) over plaintext HTTP in query parameter
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 13 Nov 2012 22:06:48 -0500
This little gem showed up in a recent code review. Signature ([self signature]) is a CRC32 with no cryptographic value. -1 for tracking with a device's UUID -1 for doing it over an insecure channel -1 for doing it with a query parameter // From ReaddleProtector.mm - (void)validateCopy { NSString *urlString = [NSString stringWithFormat:@"http://api.readdle.com/rpp/?u=%@&s=%@", [[UIDevice currentDevice] uniqueIdentifier], [self signature]]; NSURL *url = [[NSURL alloc] initWithString:urlString]; NSMutableURLRequest *req = [[NSMutableURLRequest alloc] initWithURL:url]; UIDevice *d = [UIDevice currentDevice]; NSBundle *b = [NSBundle mainBundle]; NSString *userAgent = [NSString stringWithFormat: @"rp2|%@|%@|%@|%@", [b objectForInfoDictionaryKey:@"CFBundleIdentifier"], [b objectForInfoDictionaryKey:@"CFBundleVersion"], [d systemName], [d systemVersion]]; [req setValue:userAgent forHTTPHeaderField:@"User-Agent"]; response = [NSMutableData new]; [[[NSURLConnection alloc] initWithRequest:req delegate:self startImmediately:YES] autorelease]; [url release]; [req release]; } Surprisingly, it looks they have a well configured server, except for the 1024 bit key. $ echo "GET / HTTP 1.0" | openssl s_client -connect readdle.com:443 CONNECTED(00000003) depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.readdle.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.readdle.com verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.readdle.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.readdle.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDfjCCAuegAwIBAgIDFU79MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAxMTI0MjI1MjU2WhcNMTMwMjI1MTUzODI2 WjCB4TEpMCcGA1UEBRMgWEgtNDQxREN6Smx1VC1sUmpHTGFaY24vNUNLcVRHNlIx CzAJBgNVBAYTAlVBMRYwFAYDVQQKDA0qLnJlYWRkbGUuY29tMRMwEQYDVQQLEwpH VDE0MDgyMjI1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJj ZXMvY3BzIChjKTEwMS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQg LSBSYXBpZFNTTChSKTEWMBQGA1UEAwwNKi5yZWFkZGxlLmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAuVf/LwcGdBLjx9c4A3mM6pLu+BbdT0f8PDH9MxLN xZxcTPfAlna0De6oEFiwmo3XmF8HK5TygM1fRAePOynjk2W91xDUl1tJudcsY62I QkoD4lfGgTuypeI68dliU14D+noiZqtTVfgeyiVhoyKmcFCR6Bey+YLUDSk0lDm+ sqUCAwEAAaOB1TCB0jAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAO BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCUG A1UdEQQeMByCDSoucmVhZGRsZS5jb22CC3JlYWRkbGUuY29tMDoGA1UdHwQzMDEw L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js MB0GA1UdDgQWBBRsaJpxsTMoCtgxe1yhfs17Czo+dzANBgkqhkiG9w0BAQUFAAOB gQBxwvrCpe5gEbLMC1VEaXe6Ppz1Vl2KjFovK7xLsROn9I54Ch6QDBZB0QvrqwNI FRDpjxwlfYb45Q0p9HgKPYcsSVyj9akuIsgC40yggc8Xqo02XhYRQ7PycIIy3Wfl 7Z1Al1Tkb9xuXA7lse2bITMVw7A8D+XnmFLwvel6OZzVjw== -----END CERTIFICATE----- subject=/serialNumber=XH-441DCzJluT-lRjGLaZcn/5CKqTG6R/C=UA/O=*.readdle.com/OU=GT14082225/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.readdle.com issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1067 bytes and written 328 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 30EF8AFC9D38C2D809871A86CE86B0B51F04AABC0CBF337CC3C9E68D2365D1E6 Session-ID-ctx: Master-Key: 2596AD9369A5B73FC4DDA845E41EF67C4333C5861C99507BA1E32784EC2B48E980A1625BC8B5D70841AAB3787A81D8E9 Key-Arg : None Start Time: 1352861697 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Readdle: User traking (device UUID) over plaintext HTTP in query parameter Jeffrey Walton (Nov 13)