The final installment of our BlackHat video series showcases weaknesses in the password reset feature for Apple’s MobileMe service as well as publicizing an XSS vulnerability in the application. At first glance the choice of MobileMe may seem arbitrary, but it was useful for a number of reasons. MobileMe is one of the more popular consumer-focused cloud services and it’s a good example of the feature-creep that’s a hallmark of cloud systems. By compromising a user’s MobileMe account an attacker has access to much more than just the user’s mail. With each new feature addition the user is sucked into the service a little more until most of their data is stored within MobileMe, and a compromise of the account becomes serious for the user.
Apple’s MobileMe product (formely .Mac) provides users with a number of subscription-based services for interacting and existing online including push mail, contacts, calendaring, storage, photos and iPhone integration. These are delivered via a web interface and the infrastructure is managed by Apple.
Video 1: Password Reset
Performing authentication on a massive userbase with whom there is zero offline interaction is hard, especially when it comes down to the degraded authentication required by password reset processes. Considering that web interfaces appear to be the dominant channel by which cloud services are managed (we touch on the implications here), a flawed password reset process can mean that attackers gain access to more that simply your mail.
In August last year, TechCrunch published a way to enumerate usernames on MobileMe. We abused this further to target a specific user on MobileMe in order to reset his password. As the video shows, the process only requires a birthdate (which is generally obtainable either through FaceBook, Wikipedia, Amazon wishlists or the like) and a secret question. Again, with enough digging the answer to the secret question is often guessable. In the video above we show a toy example of the password reset working against a SensePoster.
Video 2: XSS in iPhone name
Apple has since patched this bug.
Video 3: Woz’s mail
Finally, we demonstrate the password reset attack against Woz’s MobileMe account. We stopped before actually resetting his password, but in his own words he stores mail, calendaring info and other information that is sensitive to him on MobileMe, and the ability to XSS the page would mean that the continued compromise of the account was possible.
The reliance on web interfaces to control cloud services has unintended consequences. With the feature-creep that takes place, more and more of our data is placed in the cloud yet the security controls remain at the level used to protect Hotmail or Amazon bookstore accounts. By piecing together publicly available information, we can generate a profile that is sufficiently complete for a password reset, which points to flaws within the reset process.