[BreachExchange] Leaky API exposes Black Hat attendees’ personal data

Destry Winant destry at riskbasedsecurity.com
Wed Aug 22 23:23:34 EDT 2018


http://www.itpro.co.uk/security/31762/leaky-api-exposes-black-hat-attendees-personal-data

One of the world's biggest cyber security conferences was put in an
awkward position after a poorly-secured API enabled a security
researcher to download the personal details and contact information of
every attendee.

The annual Black Hat conference in Las Vegas is among the most
anticipated events in the infosec calendar, with hackers, security
researchers and law enforcement officials alike descending on Nevada
for a week of demonstrations, hands-on sessions and general security
knowledge-sharing.

The nature of the conference, as well as the adversarial relationship
between some of the groups in attendance, means that OpSec (or
operational security) is a priority for guests at the show. This is
precisely why security researcher NinjaStyle was surprised to discover
that a flaw had left Black Hat attendee data exposed.

Like many conferences, the badges issued to Black Hat attendees
include an NFC tag, which exhibitors at the show can scan to collect
details used for marketing purposes. After investigating this tag,
NinjaStyle discovered that it included a link to download business
card reader app BCard.

NinjaStyle downloaded and decompiled the app, and found an API
endpoint, which the app used to fetch data from the server. After
identifying which portions of the code identified the event ID and the
badge ID, he used this data to try and download his information from
the BCard server.

"To my surprise, I was able to pull my attendee data completely
unauthenticated over this API," he explained in a blog post. "Next, I
did some math to determine the feasibility of brute forcing all
BlackHat attendees."

"The rate at which we were able to brute force the API would mean that
we could successfully collect all BlackHat 2018 registered attendees'
names, email addresses, company names, phone numbers, and addresses in
only approximately 6 hours."

The issue, which BCard blamed on a "legacy system", has now been
fixed, and NinjaStyle noted the quick work of the BCard team, stating
that it was resolved "within 24 hours of initial contact".

It should be noted that the breach was not directly due to a lapse in
security on the part of Black Hat's organisers and there is currently
no indication that this flaw has been maliciously exploited.


More information about the BreachExchange mailing list