OkStupid and Plenty of Phish

It recently occurred to me that many of the classic "password recovery" questions, while personal in nature, are exactly the types of questions you would ask when attempting to better get to know someone -- such as in a dating context. With this in mind, I decided to explore how online dating services could potentially be used to target victims and then subsequently get access to their online services by discovering the answer(s) to their password recovery questions.

How we built the bot

Went through quite a few considerations on how I wanted to approach this. I eventually stumbled upon a site called PersonalityForge, which seems to be this entire geek sub-culture of people who have coded chat bots with the intent to make them as real as possible. While nowhere near perfect, I did manage to find a "flirty" female chat bot that I hoped would do the trick. I introduce to you, Amanda20...

How it works?

Using the Python mechanize library, I was able to use browsing emulation to "chat" with Amanda20 in one browser, and then login to a dating site and chat with my target victim on another browser. The two emulated browsers allow them to talk to each other, in hopes that the victim would believe they were chatting with a real person.

The messages would be routed back and forth to facilitate the conversation, and then certain pieces of information would be swapped using string substitution, and recovery questions would be periodically injected into the conversation.

And the results???

Some caught on...

Some became amusingly hostile...

Some were even bots themselves (though less sophisticated)...

But mostly, it just worked...

Or the live version if you are up for some brief entertainment...

Targeted Attacks

This probably doesn't seem as concerning, as people are anonymous on dating sites. And if I don't know who you are, then I can't break into you online services, right? But with some clever Google dorking and reverse image searches, we can quickly identify who people are in cases of username or photo reuse. We were even able to find and target victims of specific companies.

But if that doesn't work...just program the bot to ask. In addition to their recovery questions, apparently people are more than willing to tell you who they work for too.

Proof of Concept Code

Below is the github repository with the proof-of-concept code. Because this was just a quick proof-of-concept to demonstrate the potential risk, the code is admittedly not well documented/commented, and I have no intention of supporting it. But please feel free to reference if interested.

OkStupid & Plenty of Phish - Github Repository

Comments

Bypassing CAPTCHA with Visually-Impaired Robots

As many of you have probably noticed, we rely heavily on bot automation for a lot of the testing that we do at Sociosploit. And occasionally, we run into sites that leverage CAPTCHA ("Completely Automated Public Turing Test To Tell Computers and Humans Apart") controls to prevent bot automation. Even if you aren't familiar with the name, you've likely encountered these before. While there are some other vendors who develop CAPTCHAs, Google is currently the leader in CAPTCHA technology. They currently support 2 products (reCAPTCHA v2 and v3). As v3 natively only functions as a detective control, I focused my efforts more on identifying ways to possibly bypass reCAPTCHA v2 (which functions more as a preventative control). How reCAPTCHA v2 Works reCAPTCHA v2 starts with a simple checkbox, and evaluates the behavior of the user when clicking it. While I haven't dissected the underlying operations, I assume this part of the test likely makes determination

Building Bots with Mechanize and Selenium

The Sociosploit team conducts much of its research into the exploitation of social media using custom built bots. On occasion, the team will use public APIs (Application Programming Interfaces), but more often than not, these do not provide the same level of exploitative capabilities that could be achieved through browser automation. So to achieve this end, the Sociosploit team primarily uses a combination of two different Python libraries for building web bots for research. Each of the libraries have their own advantages and disadvantages. These libraries include: Mechanize Pros: Very lightweight, portable, and requires minimal resources Easy to initially configure and install Cuts down on superfluous requests (due to absense of JavaScript) Cons: Does not handle JavaScript or client-side functionality Troubleshooting is done exclusively in text Selenium Pros: Operations are executed in browser, making JavaScript rendering and manipulation easy Visibility of browse

Another "Fappening" on the Horizon?

So in case you aren't fully up-to-speed on useless hacker trivia, "The Fappening" (also sometimes referred to as "Celebgate") was a series of targeted end-user cyber attacks which occurred back in 2014 (which strangely feels like forever in tech years), that resulted in unauthorized access to the iCloud accounts of several prominent celebrity figures. Following these breaches, photographs (for many including personal sexually explicit or nude photos) of the celebrities were then publicly released online. Most evidence points to the attack vector being spear phishing email attacks which directed the victims to a fake icloud login site, and then collected the victim's credentials to subsequently access their real icloud accounts. Migration to MFA In response to these events, Apple has made iCloud one of the very few social web services that implements compulsory MFA ("Multi-Factor Authentication"). But while they might be ahead of the indust

SocioSploit

Search This Blog