It recently occurred to me that many of the classic "password recovery" questions, while personal in nature, are exactly the types of questions you would ask when attempting to better get to know someone -- such as in a dating context. With this in mind, I decided to explore how online dating services could potentially be used to target victims and then subsequently get access to their online services by discovering the answer(s) to their password recovery questions.
How we built the bot
Went through quite a few considerations on how I wanted to approach this. I eventually stumbled upon a site called PersonalityForge, which seems to be this entire geek sub-culture of people who have coded chat bots with the intent to make them as real as possible. While nowhere near perfect, I did manage to find a "flirty" female chat bot that I hoped would do the trick. I introduce to you, Amanda20...How it works?
Using the Python mechanize library, I was able to use browsing emulation to "chat" with Amanda20 in one browser, and then login to a dating site and chat with my target victim on another browser. The two emulated browsers allow them to talk to each other, in hopes that the victim would believe they were chatting with a real person.
The messages would be routed back and forth to facilitate the conversation, and then certain pieces of information would be swapped using string substitution, and recovery questions would be periodically injected into the conversation.
And the results???
Some caught on...
Some became amusingly hostile...
Some were even bots themselves (though less sophisticated)...
But mostly, it just worked...
Or the live version if you are up for some brief entertainment...
Targeted Attacks
This probably doesn't seem as concerning, as people are anonymous on dating sites. And if I don't know who you are, then I can't break into you online services, right? But with some clever Google dorking and reverse image searches, we can quickly identify who people are in cases of username or photo reuse. We were even able to find and target victims of specific companies.
But if that doesn't work...just program the bot to ask. In addition to their recovery questions, apparently people are more than willing to tell you who they work for too.
Proof of Concept Code
Below is the github repository with the proof-of-concept code. Because this was just a quick proof-of-concept to demonstrate the potential risk, the code is admittedly not well documented/commented, and I have no intention of supporting it. But please feel free to reference if interested.
Comments
Post a Comment