Shulou(Shulou.com)05/31 Report--

How to use BCard API enumeration registration attendees, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

BlackHat is one of the largest cyber security events in the world and is held in Las Vegas every summer. Those who participate in BlackHat may have noticed that their badges contain NFC tags. This NFC tag is scanned at the booth in the business hall, so suppliers can collect their marketing data, including name, address, company, position and phone number. After BlackHat, attendees who have scanned badges from various suppliers receive a series of marketing emails. One of the things I didn't realize at first was that the data was actually contained inside the tag.

During the BlackHat training, I was frustrated that badges and ropes made noise around my neck during the training, so I took it off and put it on the table next to me. Then I put my phone on it and saw the notice so that I could read the NFC tag. Out of curiosity, I downloaded a tag reader application, looked at the data stored on my tags and made some observations:

After looking at the above data, I encountered some questions: how did the supplier get my email address? All my data is stored on the card, only part of the data is encrypted? Is there an API that can be used to extract the rest of the data? A few days later, I decided to revisit and download BCard APK. I used the Jadx tool to decompile APK into Java source code and started searching the output for any potential API endpoints.

(1) / jadx-gui ~ / Desktop/bcard.apk (2) grep-R "http.*://"

Next, I did some math to determine the feasibility of being able to violently enumerate all BlackHat attendees. After hundreds of requests were attempted on 0-100000 and 000000-100000 and no valid badges were received, I determined that those might not be valid ID ranges. Then we can assume that the valid ID is 100000-999999. This leaves us with 900000 requests. With an estimated 18000 BlackHat attendees, we can assume that we will enumerate valid badgeID in about 2% of requests.

Our ability to forcibly change the speed of accessing API means that we can successfully collect the names, email addresses, company names, phone numbers and addresses of all BlackHat 2018 registered attendees in approximately 6 hours.

After successfully proving this concept, I began the vulnerability disclosure process. It was difficult for the ITN team to contact them at first because they didn't have an security@ or abuse@ email address, but once I could get in touch with the right people, they were very polite, professional and sensitive. In addition, they solved the problem within 24 hours of their first contact.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.