“Oh you are logged in on your phone? Lets zoom there”
This is the exploit.
The technical details dont really matter. Webservices are extremely difficuly to make secure if you cannot trust a legitimate users computer who is legitimately authenticating.
The key extraction could be seen as a vulnerability. Likely an oauth token that the webservice passes to the browser, which passes it to the auth service, then the auth service passes a new token to the browser, which then passes to the webservice which verifies the token then starts an authenticated session.
There will be a reason that keys are (im guessing, as this is the only way it can be leaked to screen sharing) passed as query parameters. Likely load balancers operating on SNI, or its to rely on basic browser/headers to control the authentication flow, instead of having to have specific browser code (ie javascript) to take the key and pass it as body data in a post request without the users intervention.
Unfortunately it is probably the most secure way of doing it given the restrictions of http, browsers and ease-of-use-for-users.
The lesson is “if you are dealing with a stranger and : you have a bad feeling, you are put under emotional stress, time deadlines, any kind of pressure. STOP.”
Thats how scam/phishing etc works. It engineers you to dismiss any red flags that would normally make you stop.
Sometimes scammers get really lucky and hit you when you are expecting legitimate contact.
Yeah, the stress is key. I’m reminded of how Cory Doctorow recently wrote about how a scammer got him because of lucky (for the scammer) timing because Doctorow was travelling and in a rush, or something similar.
I’m also reminded of how irl predators utilise a similar pressure to the scammers - they leverage our instinct to be polite and avoid violating social norms, in order to keep pushing boundaries. Often the key to avoiding risky situations is to recognise and validate an uncomfy feeling as soon as possible, and get yourself out of that situation rather than talking yourself out of your discomfort.
Also, any legit interaction would cause such a tiny blip from anything you do to protect yourself.
“Hello, im phoning from the IRS. We are going to issue an arrest warrant if you dont pay your outstanding bill”
“Oh my god. Can i have a reference number? I want to phone the IRS back to make sure this is legitimate”
“Sure, its {whatever}”.
Find the IRS number via a legitimate website (probably irs (.) gov?) and phone them. The operator isnt going to care. A scammer will apply more pressure
Thats what a normal interaction with a safety check will go like.
And thats absolutely fine.
I guess its worth extending that to screen sharing.
“Oh, i have to sign in. Let me just stop screen sharing”.
It fucking sucks that there are people that leverage, exploit and scam.
Its bullshit this has happened, and im glad that this story is being told.
It raises awareness, hopefully other people can learn from this. And i hope they get their account back (im surprised that suppory channels didnt give access back, or at least restrict the account)
“Oh you are logged in on your phone? Lets zoom there”
This is the exploit.
The technical details dont really matter. Webservices are extremely difficuly to make secure if you cannot trust a legitimate users computer who is legitimately authenticating.
The key extraction could be seen as a vulnerability. Likely an oauth token that the webservice passes to the browser, which passes it to the auth service, then the auth service passes a new token to the browser, which then passes to the webservice which verifies the token then starts an authenticated session.
There will be a reason that keys are (im guessing, as this is the only way it can be leaked to screen sharing) passed as query parameters. Likely load balancers operating on SNI, or its to rely on basic browser/headers to control the authentication flow, instead of having to have specific browser code (ie javascript) to take the key and pass it as body data in a post request without the users intervention.
Unfortunately it is probably the most secure way of doing it given the restrictions of http, browsers and ease-of-use-for-users.
The lesson is “if you are dealing with a stranger and : you have a bad feeling, you are put under emotional stress, time deadlines, any kind of pressure. STOP.”
Thats how scam/phishing etc works. It engineers you to dismiss any red flags that would normally make you stop.
Sometimes scammers get really lucky and hit you when you are expecting legitimate contact.
Yeah, the stress is key. I’m reminded of how Cory Doctorow recently wrote about how a scammer got him because of lucky (for the scammer) timing because Doctorow was travelling and in a rush, or something similar.
I’m also reminded of how irl predators utilise a similar pressure to the scammers - they leverage our instinct to be polite and avoid violating social norms, in order to keep pushing boundaries. Often the key to avoiding risky situations is to recognise and validate an uncomfy feeling as soon as possible, and get yourself out of that situation rather than talking yourself out of your discomfort.
Also, any legit interaction would cause such a tiny blip from anything you do to protect yourself.
“Hello, im phoning from the IRS. We are going to issue an arrest warrant if you dont pay your outstanding bill”
“Oh my god. Can i have a reference number? I want to phone the IRS back to make sure this is legitimate”
“Sure, its {whatever}”.
Find the IRS number via a legitimate website (probably irs (.) gov?) and phone them. The operator isnt going to care. A scammer will apply more pressure
Thats what a normal interaction with a safety check will go like.
And thats absolutely fine.
I guess its worth extending that to screen sharing.
“Oh, i have to sign in. Let me just stop screen sharing”.
It fucking sucks that there are people that leverage, exploit and scam.
Its bullshit this has happened, and im glad that this story is being told.
It raises awareness, hopefully other people can learn from this. And i hope they get their account back (im surprised that suppory channels didnt give access back, or at least restrict the account)