WIN any quiz : QuizUp iOS App Security Vulnerability

. 4 min read

QuizUp_Logo

Few months back, we reported a serious security vulnerability in the popular gaming app called QuizUp by Plain Vanilla Games.

Plain Vanilla Games is a hugely funded company, with QuizUp being its flagship product so far. According to Wikipedia, the company has 20 million users, and has raised $27.7 million in funding, with over a billion matches being played every single day.

quizup google play

quizup google play 2

Where was the vulnerability

While playing QuizUp, we found it tough to score a perfect 160 in every match. But we wanted to win. And when you want something real bad, you find ways to achieve it.

Step 1 : Figure out the attack vectors

We had an iOS device at that time, and like most of the applications in iOS, there are two most common entry points :

  • Using Cycript to perform runtime manipulation and manipulate app’s functionality (which works in a lot many applications enforcing security restrictions)
  • Traffic Analysis of the network data and figuring out possible security issues in it.

We decided to go with Traffic Analysis as a starting point to figure out the security issues.

Step 2 : Intercepting the traffic

Intercepting network traffic in iOS is the easiest thing possible in the universe, according to me. You just need to go to **Settings | Wi-Fi | HTTP Proxy **and enter local IP of your system on the network in the proxy IP field.

On your system, you can use any proxy tool you feel comfortable with – Burp Suite, Charles Proxy, MITMProxy etc.

We decided to go with MITMProxy as it gives you a much more hackerish feel while using the tool. Oh yeah, it does support additional Python scripts (which we love to write to automate almost anything). You can also check out the Github repo  or the official website.

If you’re using Mac/Ubuntu :

Simply run

pip install mitmproxy

or you could chose to build from the source, whichever you prefer. You could even download the binary package if you’re on Mountain Lion.

Coming back to the QuizUp vulnerability, we set up the proxy on the device and the system, but there we have another issue. You can’t intercept network traffic as usual, due to the implementation of SSL Pinning.

Step 3 : Bypassing SSL Pinning

Many developers assume that simply using HTTPS is the most secure thing to do with an application. For these connections, you could simply add your own certificate (or the certificate by the proxy tool) to the device’s trusted store, and sniff it as the usual HTTP traffic.

Few app developers go ahead and implement SSL Pinning, which validates the certificate being used, and if it matches the original certificate specified by the developer. So here, the usual way of HTTPS traffic interception won’t work.

One of the ways to bypass SSL Pinning is to hook into the method which validates the trustiness of the certificate and make it return true always (or false depending on the scenario).

For iOS, if you don’t want to hook into the methods manually and patch the boolean return value, you can use the tool – SSL Kill Switch by iSec Partners.

Installing SSL Kill Switch is just like installing any other tool on the iOS device. Here are the quick steps on how to do it :

  • Download the debian package from here.
  • SCP the sslkillswitch deb file to your idevice.

      scp sslkillswitch.deb root@[iphone ip address]:/

  • SSH into your device.

      ssh root@[iphone ip address]

  • Install the debian package.

      cd / && dpkg -i sslkillswitch.deb
Once you’ve done this, you’ll need to respring your device using
killall -HUP SpringBoard
after which you’ll be able to see the SSL Kill Switch option in your Settings menu of your iDevice as shown below.

ssl kill switch

Step 4 : Identify the vulnerability

Once you’ve bypassed SSL Pinning and are able to sniff the traffic in your proxy tool, you now need to look at all the packets and think for possible security issues. It took us around half an hour to figure out the vulnerability here, as discussed below.

The vulnerability

When you accept a new challenge on the QuizUp app on your device, as soon as the challenge starts, it receives the response containing the full solution to the entire challenge as a JSON dump. That’s it.

All you need to do, is parse the JSON, figure out the correct answers, and then go to the leaderboard top. \m/

But that wouldn’t be that fun, without writing a python script. So, we wrote the Python script for MITMProxy parsing the json, and displaying the correct answers.

Here’s the script written.

def response(context, flow): res = flow.response; try: if res.content: print("Response Content: -----------------"); print "\n\n\n\n" try: j = res.get_decoded_content() find_answer(j) except Exception, e: print("NO JSON") print("END CONTENT----------------") except Exception as ee: print(str(ee)); def find_answer(json_string): json_obj = simplejson.loads(json_string) questions = json_obj["game"]["questions"] for question in questions: answers = question["answers"] for answer in answers: if answer["correct"]==True: print "\n\n##############################################" print "answer is "+answer["text"] print "##############################################\n\n"

Now, you need to start MITMProxy with the -s flag specifying the script and -p for the port number.

mitmproxy -s quizup.py -p 8080

And you’re all set.

POC Video:

All the vulnerabilities were responsibly disclosed to the QuizUp team, to which they responded immediately and fixed it in the next release of the app.

Signing Off,
Aditya Gupta(@adi1391)

Specials thanks to @r3dsm0k3 of Happily Coded 😉

If you’re interested in more similar kind of mobile security stuff, or would like to find vulnerabilities in mobile apps or secure your own apps, attend one of our trainings or organize one at your organisation.



Attify Team

IoT Security and Penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram