Hacking the Call Records of Millions of Americans

Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user. Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser. This capability wasn’t a hypothetical. I recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for an attacker to leak call history logs of Verizon Wireless customers. ...

My iOS Web Hacking Setup - Surge, Termius, and Caido

As a part-time bug bounty hunter, I’ve found reducing friction in my testing to be especially important. Being able to quickly look at the behavior of an application to take advantage of downtime is very important to me. With that I’ve come up with a bit of an uncommon workflow where I not only proxy traffic from iOS devices, but will also look through the request history and even modify and replay requests, all from my iPhone or iPad. ...

Mobile OAuth Attacks - iOS URL Scheme Hijacking Revamped

Summary We (Julien Ahrens @MrTuxracer and myself @Evan_Connelly) identified nearly 30 popular apps, as well as a feature within iOS itself, vulnerable to an attack in which any installed iOS app from the Apple App Store could perform an account takeover of victim users. This vulnerability exploits the nuances of the OAuth protocol and iOS’s handling of Custom URL Schemes and Safari browser sessions to steal OAuth Authentication Codes from vulnerable OAuth implementations, thereby allowing an attacker to gain access to a victim’s account. ...

A Silent Threat - Open Redirects via OAuth Client Applications

If an OAuth Authorization Server (AS) supports self-registration of client applications, and also supports silent authentication, it likely is possible to utilize the AS as an open redirector. Self-Registered OAuth Client Applications A significant factor in OAuth’s wide adaptation is the ability for developers to register their own client applications on various platforms. This is often done via a self-registration process, which is a major part of OAuth’s flexibility and widespread adoption. ...

Post Account Takeover? Account Takeover of Internal Tesla Accounts

In testing various Tesla web applications as part of the Tesla Bug Bounty Program, I’ve created many Tesla user accounts. At some point, while creating a new account, I became curious if I could register an account using a Tesla email address. For background, Tesla has many web apps. When it comes to SSO for all of these apps, Tesla has two main Identity Providers (IdPs), auth.tesla.com for external users and sso.telsa.com for employees. My testing involved the public auth.tesla.com. ...