We are in digital era, everything is connected to the large networks and applications benefit of even more complex devices that deeply interact with owner, in this scenario security requirements assume a crucial importance and security of overall architecture also depend on security of single components.
In these months mobile users have gone crazy for a simple video game named Ruzzle, developed by the Swedish gaming company MAG Interactive, available for iOS and Android devices.
The game mechanism is inspired by the board games Boggle and Scrabble. Early 2013 the researcher at Hacktive Security started a study on most spread mobile applications such as popular Ruzzle focusing on the protocol implemented and possible repercussion on user's privacy.
Ruzzle protocol use Json for response within a user's session, security analyst discovered that is it possible to tamper them due the absence of control on server side on data sent by the application.
The leak of data validation is widely exploited in web application context typically to increase attacker's privileges or worst to impersonate the victim within an authenticated session.
The research conducted demonstrated that it is possible to obtain access with a profile different from the one of the victim without authentication and of course to perform any actions exactly as the attacked user.
One of the most interesting components of the Ruzzle game is the chat, yes today the key feature of any game is it's social aspect, it's capability to make in direct contact users to simply play a game or exchange messages.
Ruzzle doesn't escape to this simple rule, experts at Hacktive Security demonstrated that a ill-intentioned user can obtain full control of the victim's account with serious repercussion.
The attackers can access to the whole list of played games including current games and it could also challenge other victim's friends … but most concerning thing is that the attacker could access to victim's private messages exchanged with other users via internal chat feature and it could impersonate the victim in other chat conversations.
Following the evidences provided by the team of analysts in their blog post, Opening Ruzzle on a mobile device, the app perform the login process through a request using a classic HTTP POST method:
the POST above is the request originated by the client, containing the right parameters submitted through the application (in our case the login process is performed through the integration with the Facebook authentication).
A showed in the above statement all information related to users identity are included in the json structure sent as response, this data could be easy intercepted and manipulated, for example simply modifying the value of parameter userId used to identify the victim.
"To obtain the value of a userId is enough to intercept the regular traffic generated by Ruzzle while challenging the chosen victim. We proceeded in tampering the value of the userId parameter with the one assigned to our victim:"
Once done this, the last step is to tamper few other parameters inside of the refreshCache POST. The parameters that need to be tampered are the following cacheKey values:
- listRequests_NNNNNNNNN
- listInvites_NNNNNNNNN
- listActiveGames_NNNNNNNNN
- list_FinishedGames_NNNNNNNNN
The NNNNNNNNN represent the userId that in the POST originated by Ruzzle contains the legitimate value of the userId cached by the app. Submitting these cacheKey values tampered with the victim's userId in the numeric part after the underscore is the final step. The json response to this POST indeed loads into the Ruzzle app all data about the victim's account as briefly reported under.
At this point the attack is completed, Ruzzle client on the mobile device has access to victim's account including all information described above.
What is the lesson that Hacktive Security team has given us?
Different are the element of discussion starting from the study of Italian team, first consideration is related to level of exposure of user due the his ordinary access to internet, also a simple application could be exploited by attackers that could violate our privacy. Be aware of which applications to use, and in which context, today high debated is argument of BYOD, the improper use of applications in workspace could expose sensitive information of company with serious consequences.
Second consideration is related to the design of mobile application and the necessity to consider user's security at first place, even if we are developing a video game. Mobile devices are powerful platforms and attackers could exploit them for various purposes, video game are principal vector of infection and could be used in a simple way to gather access to user's devices.
The app world is increasing in impressive way pushed by the explosion of mobile market, but we cannot forget that apps run also in other context, such as of appliances, due this reason I believe that software produced have to recognize and share a set of minimum requirements related to security … I hope that in the future is will be not so simple access to data managed by an application like Ruzzle.
