Re: [Skunkworks] NCC Mobile County App Security
Also please inform them of the fact that a brute force attack on their api is trivially simple to do. And since we know the PIN is a four digit number, it means there are only a max of 9999 combinations. They should either rate limit the API, or lock the account after X number of failed attempts, and require another form of authentication, either an sms, email, captcha etc I personally would not use the same PIN i use for mpesa/debit cards with their service until this is done, and I recommend the same for all skunks. On 24 February 2015 at 15:03, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Ok thanks will link them up.
On Tue, Feb 24, 2015 at 2:39 PM, John K. <kamau.john@gmail.com> wrote:
I'm not a pen tester myself, Gichuki (chuksjonia@gmail.com) who is on this list (and thread) is a pen tester, hopefully JamboPay can liaise with him/his company on some testing.
On 24 February 2015 at 13:55, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Hi John I have a contact at JamboPay. If you are a pen tester or know someone who is, Recommend them I can link you up with JamboPay. They need the service.
On Tue, Feb 24, 2015 at 7:07 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Some progress, seen that they have updated the app, they however didn't take into consideration existing users, and so the previous version of the app now crashes if you try and do any transaction. Seems the dev and product guys need to synchronize their activities. Now they face the massive task of dealing with support issues regarding the previous version which now no longer works, and crashes with the "unfortunately, x app has stopped" android error.
In summary
Good to see:
1. Https (finally) 2. No longer using hardcoded ip, now the api calls epayments.nairobi.go.ke
Still needs work
1. API calls done over plain http should not be allowed. https should be the only way to communicate with the server. Should an internal developer ever forget to use a url that starts with https, then the call wouldn't work, otherwise the plain text communication would slip through to the production version. 2. The user PIN still being sent over each request. Still not good as a simple brute force attack of the main login API can reveal any users' pin, and only 9999 requests are required.
On a final note, since the devs are obviously on this list, can any one of them please respond to this thread. Collaboration is how security is done, watching a thread and silently fixing issues while good, is not enough. Get involved, pull in some professional pen testers to see what other vulnerabilities your system has. The bad guys are also reading this thread, and unlike the rest of us, they won't post their findings.
On 12 February 2015 at 18:37, Okechukwu <okechukwu@gmail.com> wrote:
Or just a wireshark installation on your laptop and your mobile phone connecting to the same access point can tell you what protocols your apps are using
./Ok3ch
On Tue, Feb 10, 2015 at 10:01 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
@Benjamin Force the device to use your own custom proxy that you can then monitor all traffic through it. In android it would mean when connecting to wifi, choose advanced, then enter your own proxy and port.
On 10 February 2015 at 06:50, Gichuki John Chuksjonia via skunkworks <skunkworks@lists.my.co.ke> wrote:
> Their domain is https://epayments.nairobi.go.ke/selfservice/login > > i haven't checked SSL on them, but i wonder if it is, or even whether > they have tested security on them or have any form of security > standards. > > On 2/10/15, Benjamin Muraguri via skunkworks < > skunkworks@lists.my.co.ke> wrote: > > How are you able to tell whether a mobile app uses SSL? Even for > say an > > email or banking app. For web applications, the URL gives it away, > but for > > a mobile application, how can one tell whether data is being > transmitted > > securely? > > > > On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks < > > skunkworks@lists.my.co.ke> wrote: > > > >> Seems they may have patched the site, still waiting for a fix for > the > >> app. > >> I'll keep checking, for now the previous advice remains. Do not > use the > >> app > >> until they at the very minimum, enforce SSL. > >> > >> > >> > >> On a side note, can the devs explain why they are using a hard > coded IP? > >> If the IP tomorrow is not available, all installed apps become > useless? > >> Many users have no idea how to update apps, so, saying you'll > force an > >> update is not an option. > >> > >> > >> > >> > >> > >> > >> On Monday, February 9, 2015, Allan O. via skunkworks < > >> skunkworks@lists.my.co.ke> wrote: > >> > >>> Looks like they've taken measures to resolve those issues? > >>> > >>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < > >>> skunkworks@lists.my.co.ke> wrote: > >>> > >>>> Anyone know the dev's of the Nairobi County App at JamboPay? > Need to > >>>> notify them of some serious security concerns in their app. > Seroius to > >>>> the > >>>> point that I won't use the app until they are patched. > >>>> > >>>> And if anyone on this list uses it, please don't use the same > PIN you > >>>> use for other secure services like Mpesa, atm etc until these > issues > >>>> are > >>>> patched. > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> skunkworks mailing list > >>>> skunkworks@lists.my.co.ke > >>>> ------------ > >>>> List info, subscribe/unsubscribe > >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >>>> ------------ > >>>> > >>>> Skunkworks Rules > >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >>>> ------------ > >>>> Other services @ http://my.co.ke > >>>> > >>> > >>> _______________________________________________ > >> skunkworks mailing list > >> skunkworks@lists.my.co.ke > >> ------------ > >> List info, subscribe/unsubscribe > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> ------------ > >> > >> Skunkworks Rules > >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> ------------ > >> Other services @ http://my.co.ke > > > > > -- > -- > Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P > I.T Security Analyst and Penetration Tester > jgichuki at inbox d0t com > > {FORUM}http://lists.my.co.ke/pipermail/security/ > http://chuksjonia.blogspot.com/ > > _______________________________________________ > skunkworks mailing list > skunkworks@lists.my.co.ke > ------------ > List info, subscribe/unsubscribe > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke >
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards Jimmy Thuo
-- Best Regards Jimmy Thuo
On Thu, Feb 26, 2015 at 10:37 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Also please inform them of the fact that a brute force attack on their api is trivially simple to do. And since we know the PIN is a four digit number, it means there are only a max of 9999 combinations. They should either rate limit the API, or lock the account after X number of failed attempts,
Then a malicious user (Eve <https://en.wikipedia.org/wiki/Alice_and_Bob>) will just come in and block all accounts by just walking through every account id and making nefarious X login attempts. You probably want to IP rate limit, or use expensive client side password hashing that makes intractable for Eve to generate many passwords (read KDF <https://en.wikipedia.org/wiki/Key_derivation_function>)
and require another form of authentication, either an sms, email, captcha etc
I personally would not use the same PIN i use for mpesa/debit cards with their service until this is done, and I recommend the same for all skunks.
On 24 February 2015 at 15:03, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Ok thanks will link them up.
On Tue, Feb 24, 2015 at 2:39 PM, John K. <kamau.john@gmail.com> wrote:
I'm not a pen tester myself, Gichuki (chuksjonia@gmail.com) who is on this list (and thread) is a pen tester, hopefully JamboPay can liaise with him/his company on some testing.
On 24 February 2015 at 13:55, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Hi John I have a contact at JamboPay. If you are a pen tester or know someone who is, Recommend them I can link you up with JamboPay. They need the service.
On Tue, Feb 24, 2015 at 7:07 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Some progress, seen that they have updated the app, they however didn't take into consideration existing users, and so the previous version of the app now crashes if you try and do any transaction. Seems the dev and product guys need to synchronize their activities. Now they face the massive task of dealing with support issues regarding the previous version which now no longer works, and crashes with the "unfortunately, x app has stopped" android error.
In summary
Good to see:
1. Https (finally) 2. No longer using hardcoded ip, now the api calls epayments.nairobi.go.ke
Still needs work
1. API calls done over plain http should not be allowed. https should be the only way to communicate with the server. Should an internal developer ever forget to use a url that starts with https, then the call wouldn't work, otherwise the plain text communication would slip through to the production version. 2. The user PIN still being sent over each request. Still not good as a simple brute force attack of the main login API can reveal any users' pin, and only 9999 requests are required.
On a final note, since the devs are obviously on this list, can any one of them please respond to this thread. Collaboration is how security is done, watching a thread and silently fixing issues while good, is not enough. Get involved, pull in some professional pen testers to see what other vulnerabilities your system has. The bad guys are also reading this thread, and unlike the rest of us, they won't post their findings.
On 12 February 2015 at 18:37, Okechukwu <okechukwu@gmail.com> wrote:
Or just a wireshark installation on your laptop and your mobile phone connecting to the same access point can tell you what protocols your apps are using
./Ok3ch
On Tue, Feb 10, 2015 at 10:01 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
> @Benjamin Force the device to use your own custom proxy that you can > then monitor all traffic through it. In android it would mean when > connecting to wifi, choose advanced, then enter your own proxy and port. > > On 10 February 2015 at 06:50, Gichuki John Chuksjonia via skunkworks > <skunkworks@lists.my.co.ke> wrote: > >> Their domain is https://epayments.nairobi.go.ke/selfservice/login >> >> i haven't checked SSL on them, but i wonder if it is, or even >> whether >> they have tested security on them or have any form of security >> standards. >> >> On 2/10/15, Benjamin Muraguri via skunkworks < >> skunkworks@lists.my.co.ke> wrote: >> > How are you able to tell whether a mobile app uses SSL? Even for >> say an >> > email or banking app. For web applications, the URL gives it >> away, but for >> > a mobile application, how can one tell whether data is being >> transmitted >> > securely? >> > >> > On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks < >> > skunkworks@lists.my.co.ke> wrote: >> > >> >> Seems they may have patched the site, still waiting for a fix >> for the >> >> app. >> >> I'll keep checking, for now the previous advice remains. Do not >> use the >> >> app >> >> until they at the very minimum, enforce SSL. >> >> >> >> >> >> >> >> On a side note, can the devs explain why they are using a hard >> coded IP? >> >> If the IP tomorrow is not available, all installed apps become >> useless? >> >> Many users have no idea how to update apps, so, saying you'll >> force an >> >> update is not an option. >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Monday, February 9, 2015, Allan O. via skunkworks < >> >> skunkworks@lists.my.co.ke> wrote: >> >> >> >>> Looks like they've taken measures to resolve those issues? >> >>> >> >>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < >> >>> skunkworks@lists.my.co.ke> wrote: >> >>> >> >>>> Anyone know the dev's of the Nairobi County App at JamboPay? >> Need to >> >>>> notify them of some serious security concerns in their app. >> Seroius to >> >>>> the >> >>>> point that I won't use the app until they are patched. >> >>>> >> >>>> And if anyone on this list uses it, please don't use the same >> PIN you >> >>>> use for other secure services like Mpesa, atm etc until these >> issues >> >>>> are >> >>>> patched. >> >>>> >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> skunkworks mailing list >> >>>> skunkworks@lists.my.co.ke >> >>>> ------------ >> >>>> List info, subscribe/unsubscribe >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>>> ------------ >> >>>> >> >>>> Skunkworks Rules >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>>> ------------ >> >>>> Other services @ http://my.co.ke >> >>>> >> >>> >> >>> _______________________________________________ >> >> skunkworks mailing list >> >> skunkworks@lists.my.co.ke >> >> ------------ >> >> List info, subscribe/unsubscribe >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >> ------------ >> >> >> >> Skunkworks Rules >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >> ------------ >> >> Other services @ http://my.co.ke >> > >> >> >> -- >> -- >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >> I.T Security Analyst and Penetration Tester >> jgichuki at inbox d0t com >> >> {FORUM}http://lists.my.co.ke/pipermail/security/ >> http://chuksjonia.blogspot.com/ >> >> _______________________________________________ >> skunkworks mailing list >> skunkworks@lists.my.co.ke >> ------------ >> List info, subscribe/unsubscribe >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> > > > _______________________________________________ > skunkworks mailing list > skunkworks@lists.my.co.ke > ------------ > List info, subscribe/unsubscribe > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke >
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards Jimmy Thuo
-- Best Regards Jimmy Thuo
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
I agree, very easy for a malicious user to simply troll and lock out all users. However, the fact that the PINs can be reliably estimated means that a very patient attacker can simply start from 0000 and slowly attempt a login once every 5 seconds, and log their last pin attempt so the attacker knows where to resume from. Sure it will take some time, but eventually you'll get the PIN. Some quick math shows that it would take at most 13hrs to get the pin. Blocking an IP here wouldn't help since, all the attacker has to do is use another route, either via vpn, proxy etc, and simply resume where they had left off. Locking the account, encrypting the PIN client side before posting, or simply using longer multi-character password maybe the only way to make it difficult for an attacker to make any headway. Another simple way is to add some text from a captcha image that must be accompanied by the PIN when logging in, after say 3 login failures. On 26 February 2015 at 10:49, Laban Mwangi <lmwangi@gmail.com> wrote:
On Thu, Feb 26, 2015 at 10:37 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Also please inform them of the fact that a brute force attack on their api is trivially simple to do. And since we know the PIN is a four digit number, it means there are only a max of 9999 combinations. They should either rate limit the API, or lock the account after X number of failed attempts,
Then a malicious user (Eve <https://en.wikipedia.org/wiki/Alice_and_Bob>) will just come in and block all accounts by just walking through every account id and making nefarious X login attempts. You probably want to IP rate limit, or use expensive client side password hashing that makes intractable for Eve to generate many passwords (read KDF <https://en.wikipedia.org/wiki/Key_derivation_function>)
and require another form of authentication, either an sms, email, captcha etc
I personally would not use the same PIN i use for mpesa/debit cards with their service until this is done, and I recommend the same for all skunks.
On 24 February 2015 at 15:03, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Ok thanks will link them up.
On Tue, Feb 24, 2015 at 2:39 PM, John K. <kamau.john@gmail.com> wrote:
I'm not a pen tester myself, Gichuki (chuksjonia@gmail.com) who is on this list (and thread) is a pen tester, hopefully JamboPay can liaise with him/his company on some testing.
On 24 February 2015 at 13:55, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Hi John I have a contact at JamboPay. If you are a pen tester or know someone who is, Recommend them I can link you up with JamboPay. They need the service.
On Tue, Feb 24, 2015 at 7:07 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Some progress, seen that they have updated the app, they however didn't take into consideration existing users, and so the previous version of the app now crashes if you try and do any transaction. Seems the dev and product guys need to synchronize their activities. Now they face the massive task of dealing with support issues regarding the previous version which now no longer works, and crashes with the "unfortunately, x app has stopped" android error.
In summary
Good to see:
1. Https (finally) 2. No longer using hardcoded ip, now the api calls epayments.nairobi.go.ke
Still needs work
1. API calls done over plain http should not be allowed. https should be the only way to communicate with the server. Should an internal developer ever forget to use a url that starts with https, then the call wouldn't work, otherwise the plain text communication would slip through to the production version. 2. The user PIN still being sent over each request. Still not good as a simple brute force attack of the main login API can reveal any users' pin, and only 9999 requests are required.
On a final note, since the devs are obviously on this list, can any one of them please respond to this thread. Collaboration is how security is done, watching a thread and silently fixing issues while good, is not enough. Get involved, pull in some professional pen testers to see what other vulnerabilities your system has. The bad guys are also reading this thread, and unlike the rest of us, they won't post their findings.
On 12 February 2015 at 18:37, Okechukwu <okechukwu@gmail.com> wrote:
> Or just a wireshark installation on your laptop and your mobile > phone connecting to the same access point can tell you what protocols your > apps are using > > ./Ok3ch > > On Tue, Feb 10, 2015 at 10:01 PM, John K. via skunkworks < > skunkworks@lists.my.co.ke> wrote: > >> @Benjamin Force the device to use your own custom proxy that you >> can then monitor all traffic through it. In android it would mean when >> connecting to wifi, choose advanced, then enter your own proxy and port. >> >> On 10 February 2015 at 06:50, Gichuki John Chuksjonia via >> skunkworks <skunkworks@lists.my.co.ke> wrote: >> >>> Their domain is https://epayments.nairobi.go.ke/selfservice/login >>> >>> i haven't checked SSL on them, but i wonder if it is, or even >>> whether >>> they have tested security on them or have any form of security >>> standards. >>> >>> On 2/10/15, Benjamin Muraguri via skunkworks < >>> skunkworks@lists.my.co.ke> wrote: >>> > How are you able to tell whether a mobile app uses SSL? Even for >>> say an >>> > email or banking app. For web applications, the URL gives it >>> away, but for >>> > a mobile application, how can one tell whether data is being >>> transmitted >>> > securely? >>> > >>> > On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks < >>> > skunkworks@lists.my.co.ke> wrote: >>> > >>> >> Seems they may have patched the site, still waiting for a fix >>> for the >>> >> app. >>> >> I'll keep checking, for now the previous advice remains. Do not >>> use the >>> >> app >>> >> until they at the very minimum, enforce SSL. >>> >> >>> >> >>> >> >>> >> On a side note, can the devs explain why they are using a hard >>> coded IP? >>> >> If the IP tomorrow is not available, all installed apps become >>> useless? >>> >> Many users have no idea how to update apps, so, saying you'll >>> force an >>> >> update is not an option. >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> On Monday, February 9, 2015, Allan O. via skunkworks < >>> >> skunkworks@lists.my.co.ke> wrote: >>> >> >>> >>> Looks like they've taken measures to resolve those issues? >>> >>> >>> >>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < >>> >>> skunkworks@lists.my.co.ke> wrote: >>> >>> >>> >>>> Anyone know the dev's of the Nairobi County App at JamboPay? >>> Need to >>> >>>> notify them of some serious security concerns in their app. >>> Seroius to >>> >>>> the >>> >>>> point that I won't use the app until they are patched. >>> >>>> >>> >>>> And if anyone on this list uses it, please don't use the same >>> PIN you >>> >>>> use for other secure services like Mpesa, atm etc until these >>> issues >>> >>>> are >>> >>>> patched. >>> >>>> >>> >>>> >>> >>>> >>> >>>> _______________________________________________ >>> >>>> skunkworks mailing list >>> >>>> skunkworks@lists.my.co.ke >>> >>>> ------------ >>> >>>> List info, subscribe/unsubscribe >>> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >>>> ------------ >>> >>>> >>> >>>> Skunkworks Rules >>> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >>>> ------------ >>> >>>> Other services @ http://my.co.ke >>> >>>> >>> >>> >>> >>> _______________________________________________ >>> >> skunkworks mailing list >>> >> skunkworks@lists.my.co.ke >>> >> ------------ >>> >> List info, subscribe/unsubscribe >>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> ------------ >>> >> >>> >> Skunkworks Rules >>> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> ------------ >>> >> Other services @ http://my.co.ke >>> > >>> >>> >>> -- >>> -- >>> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >>> I.T Security Analyst and Penetration Tester >>> jgichuki at inbox d0t com >>> >>> {FORUM}http://lists.my.co.ke/pipermail/security/ >>> http://chuksjonia.blogspot.com/ >>> >>> _______________________________________________ >>> skunkworks mailing list >>> skunkworks@lists.my.co.ke >>> ------------ >>> List info, subscribe/unsubscribe >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> ------------ >>> >>> Skunkworks Rules >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> ------------ >>> Other services @ http://my.co.ke >>> >> >> >> _______________________________________________ >> skunkworks mailing list >> skunkworks@lists.my.co.ke >> ------------ >> List info, subscribe/unsubscribe >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> > >
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best Regards Jimmy Thuo
-- Best Regards Jimmy Thuo
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
I'll just leave this one here I work in the CBD and often use the streets 'kanjo' parking. I like convenience hence i normally pay seasonal parking when my pocket allows, either the one month or three months. So this 'respectable' Kanjo lady approaches me yesterday while leaving the parking slot and says she notices my seasonal parking is expiring today, 29th July. I say 'yes' and she asks whether i mind promoting her. How i ask? She offers to renew my seasonal parking then i pay her in cash or mpesa. I agree but on on condition, that i get the confirmation message from JamboPay and that when i dial *217# i will get a valid response. We agree to meet today at 7:00am at my usual parking spot. She calls me today at 6:50am asking if she should proceed to pay i say yes am on my way to town. I arrive 30 minutes later but still no JamboPay message. However she calls me and tells me that her 'person' has gone to City Hall to pay (FIRST ALARM BELL!!!). More... http://wazua.co.ke/forum.aspx?g=posts&m=676416 <http://wazua.co.ke/forum.aspx?g=posts&m=676416#post676416> On Fri, Feb 27, 2015 at 8:17 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
I agree, very easy for a malicious user to simply troll and lock out all users. However, the fact that the PINs can be reliably estimated means that a very patient attacker can simply start from 0000 and slowly attempt a login once every 5 seconds, and log their last pin attempt so the attacker knows where to resume from. Sure it will take some time, but eventually you'll get the PIN. Some quick math shows that it would take at most 13hrs to get the pin. Blocking an IP here wouldn't help since, all the attacker has to do is use another route, either via vpn, proxy etc, and simply resume where they had left off.
Locking the account, encrypting the PIN client side before posting, or simply using longer multi-character password maybe the only way to make it difficult for an attacker to make any headway. Another simple way is to add some text from a captcha image that must be accompanied by the PIN when logging in, after say 3 login failures.
On 26 February 2015 at 10:49, Laban Mwangi <lmwangi@gmail.com> wrote:
On Thu, Feb 26, 2015 at 10:37 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Also please inform them of the fact that a brute force attack on their api is trivially simple to do. And since we know the PIN is a four digit number, it means there are only a max of 9999 combinations. They should either rate limit the API, or lock the account after X number of failed attempts,
Then a malicious user (Eve <https://en.wikipedia.org/wiki/Alice_and_Bob>) will just come in and block all accounts by just walking through every account id and making nefarious X login attempts. You probably want to IP rate limit, or use expensive client side password hashing that makes intractable for Eve to generate many passwords (read KDF <https://en.wikipedia.org/wiki/Key_derivation_function>)
and require another form of authentication, either an sms, email, captcha etc
I personally would not use the same PIN i use for mpesa/debit cards with their service until this is done, and I recommend the same for all skunks.
On 24 February 2015 at 15:03, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Ok thanks will link them up.
On Tue, Feb 24, 2015 at 2:39 PM, John K. <kamau.john@gmail.com> wrote:
I'm not a pen tester myself, Gichuki (chuksjonia@gmail.com) who is on this list (and thread) is a pen tester, hopefully JamboPay can liaise with him/his company on some testing.
On 24 February 2015 at 13:55, Jimmy Thuo <jimmy.thuo@gmail.com> wrote:
Hi John I have a contact at JamboPay. If you are a pen tester or know someone who is, Recommend them I can link you up with JamboPay. They need the service.
On Tue, Feb 24, 2015 at 7:07 AM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
> Some progress, seen that they have updated the app, they however > didn't take into consideration existing users, and so the previous version > of the app now crashes if you try and do any transaction. Seems the dev and > product guys need to synchronize their activities. Now they face the > massive task of dealing with support issues regarding the previous version > which now no longer works, and crashes with the "unfortunately, x app has > stopped" android error. > > In summary > > Good to see: > > 1. Https (finally) > 2. No longer using hardcoded ip, now the api calls > epayments.nairobi.go.ke > > > > Still needs work > > 1. API calls done over plain http should not be allowed. https > should be the only way to communicate with the server. Should an internal > developer ever forget to use a url that starts with https, then the call > wouldn't work, otherwise the plain text communication would slip through to > the production version. > 2. The user PIN still being sent over each request. Still not > good as a simple brute force attack of the main login API can reveal any > users' pin, and only 9999 requests are required. > > > On a final note, since the devs are obviously on this list, can any > one of them please respond to this thread. Collaboration is how security is > done, watching a thread and silently fixing issues while good, is not > enough. Get involved, pull in some professional pen testers to see what > other vulnerabilities your system has. The bad guys are also reading this > thread, and unlike the rest of us, they won't post their findings. > > On 12 February 2015 at 18:37, Okechukwu <okechukwu@gmail.com> wrote: > >> Or just a wireshark installation on your laptop and your mobile >> phone connecting to the same access point can tell you what protocols your >> apps are using >> >> ./Ok3ch >> >> On Tue, Feb 10, 2015 at 10:01 PM, John K. via skunkworks < >> skunkworks@lists.my.co.ke> wrote: >> >>> @Benjamin Force the device to use your own custom proxy that you >>> can then monitor all traffic through it. In android it would mean when >>> connecting to wifi, choose advanced, then enter your own proxy and port. >>> >>> On 10 February 2015 at 06:50, Gichuki John Chuksjonia via >>> skunkworks <skunkworks@lists.my.co.ke> wrote: >>> >>>> Their domain is https://epayments.nairobi.go.ke/selfservice/login >>>> >>>> i haven't checked SSL on them, but i wonder if it is, or even >>>> whether >>>> they have tested security on them or have any form of security >>>> standards. >>>> >>>> On 2/10/15, Benjamin Muraguri via skunkworks < >>>> skunkworks@lists.my.co.ke> wrote: >>>> > How are you able to tell whether a mobile app uses SSL? Even >>>> for say an >>>> > email or banking app. For web applications, the URL gives it >>>> away, but for >>>> > a mobile application, how can one tell whether data is being >>>> transmitted >>>> > securely? >>>> > >>>> > On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks < >>>> > skunkworks@lists.my.co.ke> wrote: >>>> > >>>> >> Seems they may have patched the site, still waiting for a fix >>>> for the >>>> >> app. >>>> >> I'll keep checking, for now the previous advice remains. Do >>>> not use the >>>> >> app >>>> >> until they at the very minimum, enforce SSL. >>>> >> >>>> >> >>>> >> >>>> >> On a side note, can the devs explain why they are using a hard >>>> coded IP? >>>> >> If the IP tomorrow is not available, all installed apps become >>>> useless? >>>> >> Many users have no idea how to update apps, so, saying you'll >>>> force an >>>> >> update is not an option. >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> On Monday, February 9, 2015, Allan O. via skunkworks < >>>> >> skunkworks@lists.my.co.ke> wrote: >>>> >> >>>> >>> Looks like they've taken measures to resolve those issues? >>>> >>> >>>> >>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < >>>> >>> skunkworks@lists.my.co.ke> wrote: >>>> >>> >>>> >>>> Anyone know the dev's of the Nairobi County App at JamboPay? >>>> Need to >>>> >>>> notify them of some serious security concerns in their app. >>>> Seroius to >>>> >>>> the >>>> >>>> point that I won't use the app until they are patched. >>>> >>>> >>>> >>>> And if anyone on this list uses it, please don't use the >>>> same PIN you >>>> >>>> use for other secure services like Mpesa, atm etc until >>>> these issues >>>> >>>> are >>>> >>>> patched. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> >>>> skunkworks mailing list >>>> >>>> skunkworks@lists.my.co.ke >>>> >>>> ------------ >>>> >>>> List info, subscribe/unsubscribe >>>> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>> >>>> ------------ >>>> >>>> >>>> >>>> Skunkworks Rules >>>> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>> >>>> ------------ >>>> >>>> Other services @ http://my.co.ke >>>> >>>> >>>> >>> >>>> >>> _______________________________________________ >>>> >> skunkworks mailing list >>>> >> skunkworks@lists.my.co.ke >>>> >> ------------ >>>> >> List info, subscribe/unsubscribe >>>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>> >> ------------ >>>> >> >>>> >> Skunkworks Rules >>>> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>> >> ------------ >>>> >> Other services @ http://my.co.ke >>>> > >>>> >>>> >>>> -- >>>> -- >>>> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >>>> I.T Security Analyst and Penetration Tester >>>> jgichuki at inbox d0t com >>>> >>>> {FORUM}http://lists.my.co.ke/pipermail/security/ >>>> http://chuksjonia.blogspot.com/ >>>> >>>> _______________________________________________ >>>> skunkworks mailing list >>>> skunkworks@lists.my.co.ke >>>> ------------ >>>> List info, subscribe/unsubscribe >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>> ------------ >>>> >>>> Skunkworks Rules >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>> ------------ >>>> Other services @ http://my.co.ke >>>> >>> >>> >>> _______________________________________________ >>> skunkworks mailing list >>> skunkworks@lists.my.co.ke >>> ------------ >>> List info, subscribe/unsubscribe >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> ------------ >>> >>> Skunkworks Rules >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> ------------ >>> Other services @ http://my.co.ke >>> >> >> > > _______________________________________________ > skunkworks mailing list > skunkworks@lists.my.co.ke > ------------ > List info, subscribe/unsubscribe > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke >
-- Best Regards Jimmy Thuo
-- Best Regards Jimmy Thuo
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Its all in the </head> Best Regards, Paul Njoroge. <https://twitter.com/#%21/p_njoroge> *Skype: njorogepaul*
participants (3)
-
John K. -
Laban Mwangi -
Paul Njoroge