Saturday, February 12, 2011

Privacy Security bug in Facebook

Under certain circumstances Facebook shows you email addresses of your friends, even if they are marked with the security property "Only Me", which should mean that nobody can see it.



In this screenshot you can see such a setting. Actually I would recommend not to store any information on Facebook that nobody should see. But maybe you want an email address to login to Facebook that is separate from all other emails you use, or you need to add your company's email to add yourself to a Facebook network, or you just want to hide this temporarily or whatever.

When a new person joins Facebook, Facebook wants you to get your profile updated and to get new friends as soon as possible, so you get these advertisements that the person is new on Facebook and to suggest him or her new friends that he or she might also know. This is very useful to connect people and to get them quickly up to speed.

Unfortunately there is a slight glitch in this mechanism. When you suggest that the new person connects with somebody else and they make friends, you get a notification email. In this email you get notified that the two people joined. In this email you get a link to suggest the new person more contacts. It also contains your login email, so that you only have to enter your password. The problem now is that it doesn't contain your email, but errornously the one from the person new to Facebook. That way you can see the email of the person new to Facebook - independently of the security setting for this email.

So if you want to exploit this, you can suggest new friends to a person. If that person accepts any suggestion to join and you get a confirmation email, you can see the main Facebook email that the person uses. People often just accept friend requests if the people are from the same company, or other group, even if they don't really know them, so the chances are high that this way you could get new emails.

Here's an example of such an email. Black are my personal details (email, my name, user id or other information), red is the person that added the new yellow user. The first yellow mark is the full name, the second yellow mark is the first name only, and the right yellow mark is the secret email of the new user that should be my email actually.


Mitigation factors:
  • Exploiting this only works for friends, as you can only suggest new friends for your own friends.
  • The person has to accept a friend suggestion.
  • The only secret you can see is the person's main login email. In many cases this email is already known.
  • The bug is fixed by Facebook in the meantime, but was open for several months - if not years.
  • Somewhen between September 2009 and July 2010 Facebook changed the format of the link in this email. In the old version no email was visible in the link. It is unknown what email was displayed when clicked on the link, so possibly the bug was introduced at that time.
Timeline:
  • 31-Dec-2010 After finding the bug, I immediately tweeted about it. Looking back now, I know I shouldn't have done this, but nobody noticed anyway.
  • 31-Dec-2010 I thought about this again and decided to contact Facebook. Because I didn't find a security contact, I notified abuse support department and only told them that I found a security problem, without any details.
  • 14-Jan-2011 Lillie from User Operations asked me for the details. A day later I replied her with the details.
  • 19-Jan-2011 Lillie replied "Thanks for bringing this to our attention. We are investigating this matter and are working to get this issue resolved as soon as possible. We appreciate your report."
  • 06-Feb-2011 I received a suggestion-confirmation email with the corrected link. Facebook never replied that it's solved.
  • 12-Feb-2011 This blog was created and the problem made public.
In case you need to contact me for any questions, you can reach me on Twitter (@SwissHttp).
Posted by at No comments:

Monday, August 30, 2010

The truth about shsh

I see many users in the forums telling "I have successfully downgraded from 4.0.2 to 4.0.1. You don't need shsh backup, I don't even know what it is". Or another one tells "I downgraded my new out-of-the-box 3GS phone; you don't need shsh backups". Or another person tells "I downgrade every day more than 10 iPhones 3GS without shsh backup." Or somebody tells "This works only for 3GS, but not for iPhone 4." Other are asking "It didn't work for you? Where do you live? Maybe it only works in U.S." There are hundrets of reports of people successfully downgrading their iPhones from 4.0.2 to 4.0.1 without knowing of what shsh backups are. I want to explain this in detail in this blog.

First of all, here a tutorial for the n00b users on how to downgrade. You can skip this, if you know what to do and are interested only in the explanation and why it doesn't work without a shsh backup.

First method:
  1. Go to http://www.felixbruns.de/iPod/firmware/ and download the firmware 4.0.1 for your iPhone. Make sure you select the correct phone. If you download the version for iPhone 4 and you have an iPhone 3GS it won't work of course.
  2. Make sure the downloaded file has a file extension of *.ipsw. Some browsers (Internet Explorer, Firefox) rename it when you download it. To rename the file extension, you have to enable them first. In Windows Explorer (not Internet Explorer), go to menu Tools, Folder Options. Then select the View tab. Make sure the option "Hide extensions for known file types" is not set. Look at the downloaded file and if it ends with *.rar or *.zip, rename it to *.ipsw.
  3. Open Windows Explorer and go to the folder C:\Windows\System32\drivers\etc There is a file called "hosts". This is for Windows users. Mac users will have the same file, but probably in another folder. Open that file with Notepad. Usually you can just double-click on it and select Notepad from the list.
  4. Edit this hosts file. Usually there are lots of lines of comments (starting with #) and two lines declaring the localhost:
    127.0.0.1 localhost
    ::1 localhost
    Now add a new line at the end:
    74.208.105.171 gs.apple.com
  5. Save this file. If you cannot save or edit it, make sure it is not set with an attribute to read-only.
  6. Now start iTunes and connect your iPhone. If iTunes doesn't recognize your phone, you have to put it into DFU mode first (not described here). Select your device in the DEVICES list on the left side. On the right side there are three areas (iPhone, Version, Option). Hold down the Shift key (Apple users the Option key) and click on the Restore button in the Version area.
  7. Now you can select the downloaded *.ipsw file and downgrade your iPhone.
Second method:
  1. Do steps 1 and 2 from the previous method.
  2. Download the latest version of TinyUmbrella: http://thefirmwareumbrella.blogspot.com/
  3. Donate something to semaphore for his great tool if you want.
  4. TinyUmbrella requires Java 32-bit to run. It doesn't work with 64-bit Java. Download and install Java from here: http://www.java.com/en/download/manual.jsp and make sure you don't install another toolbar you don't need.
  5. Start TinyUmbrella (Windows Vista and Window 7 users have to right-click and select "Run as administrator").
  6. Enable "Advance Options" checkbox
  7. In "Request From" make sure "Cydia" is selected. In "Device/Version" make sure you select the version you want to downgrade to.
  8. Click on "Save My SHSH".
  9. If no error occured, you can click on "Start TSS Server" button.
  10. Continue with step 6 of the above first method.
If you received an error in iTunes while trying to downgrade, like "Error 3194" or "This device isn't eligible for the request build" or similar, or if for the second method you receive an error message in TinyUmbrella, this means you cannot downgrade to that version. If you tried 4.0.1, you can still retry for version 4.0. Make sure you downloaded the matching firmware.

Now what is a shsh backup and why is all that needed and what does the hosts file do and why does it work for some users, but not for others?

When iTunes tries to install a firmware to your phone, the first thing it does is that it gets the ECID of your phone (that's something similar to your serial number) and it gets the version of the firmware (actually it's not the version, it's the hash-codes etc., but no details here) and sends a request to Apple asking if this phone may install this firmware build. The Apple server answers with a certificate, the shsh file we were talking about here and a success/fail flag. If it was successful, iTunes sends the new firmware and the shsh file to your phone. Your phone checks if the certificate (the shsh) is valid. Because this check is being done within your phone, you cannot circumvent this. And this certificate cannot be generated somewhere else, because to generate it, you need the private key that only Apple has. If your phone says that the certificate is ok, it installs the new (or old) firmware.

When a new firmware comes out, Apple can just say that you are not allowed to install any old version of the firmware anymore, by just refusing to return a certificate. Because you cannot generate this certificate yourself, there is no way to downgrade. And you cannot take the certificate of your friend's phone, because the certificate is different for every ECID (like the serial of the phone).

Now what can be done to downgrade? We can use a replay-attack. This means, we just record all traffic and replay the situation. This is how the whole process works. During the time when Apple signs a firmware (Apple signed firmware 4.0.1 until August 19, 2010) you can just save this shsh certificate. Now, as Apple doesn't sign firmware 4.0.1 anymore, we still have this shsh certificate and can return this to iTunes and iTunes to your phone. That way you can still install this old firmware, that Apple didn't allow to install.

How does this work in detail? Saurik, the owner of Cydia, does this for you. He has set up a server that works exactly like Apple's certificate server. When you ask Saurik's server to install a specific firmware, it returns the shsh certificate to you. This is done by changing the hosts file. iTunes still "thinks" it is asking Apple's server gs.apple.com, but the IP address 74.208.105.171 actually belongs to telesphoreo.org. This is Saurik's server, or Cydia's server. That way iTunes gets fooled and gets the certificate not from Apple, but from Cydia (first method). But there is one problem. The Cydia server cannot "produce" these certificates like Apple can do that. But it can save them while they are available in a big database. You just have to tell Cydia the ECID of your device and from then on Cydia saves all your shsh certificates and can give them back to iTunes later when you want to downgrade.

When you ask Cydia server for a specific version of shsh for your phone it first looks up its database and if it's there, it gives it back to the requestor. If Cydia doesn't have the shsh, it asks Apple for the file. If Apple still issues the shsh's, then Cydia stores it in it's database from then on. When you run TinyUmbrella and select Cydia, the same will happen. If you have ever jailbroken your device and ran the Cydia tool, it probably asked you if you want to "make your life easier" (if it didn't crash on the first run). If you selected yes there, then your ECID is stored in Cydia's database and Cydia will try to get the shsh certificates for all new firmware versions that come out.

Method 2 is a little different. TinyUmbrella has the button to "Save My SHSH". Clicking this button does not save the shsh to Cydia, but it asks Cydia if it has the requested shsh. If not, it tries to get it from Apple and then stores it in Cydia. But the main thing there is that after clicking that button, a copy of the shsh file is saved on your PC. It goes into the folder C:\Users\[your name]\.shsh (for Windows users). You can click on the button "Display SHSHs" to show the versions of SHSH that are stored locally on your PC. When you run the TSS Server, the hosts file also gets changed. But actually it gets changed to point to your PC itself. So if iTunes asks gs.apple.com, it asks your PC. Your PC (TSS Server) will answer with the shsh file from your folder mentioned before. Actually this is the same as before, but instead of asking Cydia server, you're doing this on your PC. This avoids the dependency of the Cydia server, but is actually the same.

This is why you cannot downgrade without a backup of shsh. And "having a backup" just means that Cydia has a backup of the shsh file in its database. Even users that have no idea on how this works may have their shsh file backuped there.

Now what about the users that buy a brand-new iPhone 3GS 8GB unwrap the box find iOS 4.0.2 installed and can downgrade to 4.0.1 using one of the two methods above? They also had the shsh backup for 4.0.1 on Cydia. But how did it get there?

Well, I don't know what happened for your iPhone, because I simply don't know all the history of your device. A co-worker of me has an iPhone 3GS. He always installed the newest firmware and has never jailbroken his device, according to his statements. When he came back from his vacations a few days ago, he had still firmware 4.0.1 installed. I showed him how easy jailbreaking is - he didn't even have to downgrade, because he still was on firmware 4.0.1. When he ran the Cydia tool, it showed that he had shsh backuped since 3.1.3. This confirms that since then ECID is known to Cydia. Maybe someone made a test with his phone or whatever. But it shows that users don't know everything what has happened to their device. And I just like to mention that he's is working in some high-skill IT job, so he's not just somebody that doesn't know what he does.

Now what about the freshly unwrapped 3GS? Thousands of users return their phone to Apple because the screen has a bright pixel or any other defect. I think that Apple doesn't even produce iPhones 3GS anymore. So if you buy a new 3GS now, you will actually get a refurbished one. This means that you receive one that is actually a fixed one with a new display for example. To make it really new, they get a new case, etc. But actually the electronics inside were in use already by someone else. And maybe that person has jailbroken the device and therefore saved the ECID to Cydia. You just didn't know. You can look at the serial number of your device. The digits 3,4,5 tell you the year and week of production. I'm not sure what it reads for refurbished ones. Maybe they also get a new serial number. But the ECID remains the same in any case.

So why do the above methods work for 3GS and not for iPhones 4? Because it is very rare that someone has jailbroken your newly bought iPhone 4 before you received it. But the chance for a 3GS are much, much higher.

If you tell me "I have downgraded and I am sure this phone has never been jailbroken before", I just don't believe you. Why? Because you simply don't know it. You didn't see how your phone was produced. And probably at some time your friend had it in his hands and clicked jailbreakme or whatever else. You simply don't know.

Fact is, that since August 19, 2010 Apple doesn't issue shsh certificates for firmware 4.0.1 anymore and there is no way to get them since then. Without this certificate you simply cannot downgrade. If you did downgrade, you probably did a jailbreak. Start Cydia then. In the top line it says which versions of the shsh file are on the Cydia server. If it says 4.0.1 there, then voilĂ , you know that this was the reason. shsh certificates cannot get created by anybody else than Apple and Apple stopped creating them after August 19, so it cannot get there by your jailbreak or anything else you have done.

One word about older phones. The old iPhone 3G doesn't have this shsh certificate check built-in. This means that you can always downgrade the iPhone 3G to any version. But the new iTunes 9.2 (required for firmware 4.0 and higher) now also checks the shsh certificate. But you can still install any version by using another tool like redsn0w.

For a timeline when which version of firmware was signed by Apple and for some more technical details, you can find this on the iPhone Wiki: http://theiphonewiki.com/wiki/index.php?title=SHSH

Thanks for reading. Let me know if this helped you understand how it works. If you have specific questions about downgrading your phone, please post a new thread at the GSM Forum http://forum.gsmhosting.com/vbb/f456/ I will not answer specific questions here, only general discussions about how this works.

Edit:
There are some reports that by editing the plist file within the ipsw you could still downgrade without shsh backup. This has been confirmed as not working. See the blog of semaphore, the writer of TinyUmbrella.
Posted by at No comments:
Subscribe to: Posts (Atom)