BlackHat presentation demo vids: MobileMe

[part 5 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

The final installment of our BlackHat video series showcases weaknesses in the password reset feature for Apple's MobileMe service as well as publicizing an XSS vulnerability in the application. At first glance the choice of MobileMe may seem arbitrary, but it was useful for a number of reasons. MobileMe is one of the more popular consumer-focused cloud services and it's a good example of the feature-creep that's a hallmark of cloud systems. By compromising a user's MobileMe account an attacker has access to much more than just the user's mail. With each new feature addition the user is sucked into the service a little more until most of their data is stored within MobileMe, and a compromise of the account becomes serious for the user.

To this end, we were arrived at the point where, if we were a little more malicious, we could read Steve Wozniak's mail, peruse his calendar, follow his physical location on Google Maps and embed JavaScript in his MobileMe account for contuined access.

Background

Apple's MobileMe product (formely .Mac) provides users with a number of subscription-based services for interacting and existing online including push mail, contacts, calendaring, storage, photos and iPhone integration. These are delivered via a web interface and the infrastructure is managed by Apple.

Video 1: Password Reset

Performing authentication on a massive userbase with whom there is zero offline interaction is hard, especially when it comes down to the degraded authentication required by password reset processes. Considering that web interfaces appear to be the dominant channel by which cloud services are managed (we touch on the implications here), a flawed password reset process can mean that attackers gain access to more that simply your mail.

In August last year, TechCrunch published a way to enumerate usernames on MobileMe. We abused this further to target a specific user on MobileMe in order to reset his password. As the video shows, the process only requires a birthdate (which is generally obtainable either through FaceBook, Wikipedia, Amazon wishlists or the like) and a secret question. Again, with enough digging the answer to the secret question is often guessable. In the video above we show a toy example of the password reset working against a SensePoster.

Video 2: XSS in iPhone name

This video demonstrates an XSS vulnerability that we found in the iPhone/MobileMe integration. By inserting JavaScript into the iPhone's name, this was displayed on the "Find My iPhone" page on MobileMe. Some slight trickery was required as the JavaScript was truncated in two points in the page but passed through untouched in three others; by extending the name and embedding the JavaScript past the truncation point we solved this issue.

Apple has since patched this bug.

Video 3: Woz's mail

Finally, we demonstrate the password reset attack against Woz's MobileMe account. We stopped before actually resetting his password, but in his own words he stores mail, calendaring info and other information that is sensitive to him on MobileMe, and the ability to XSS the page would mean that the continued compromise of the account was possible.

Conclusion

The reliance on web interfaces to control cloud services has unintended consequences. With the feature-creep that takes place, more and more of our data is placed in the cloud yet the security controls remain at the level used to protect Hotmail or Amazon bookstore accounts. By piecing together publicly available information, we can generate a profile that is sufficiently complete for a password reset, which points to flaws within the reset process.