Hi Craig, As was suggested by Daniel (http://ift.tt/2q4j1qI) , I installed the 360 Security app on BlueStacks Android emulator and captured HTTP packets exchanged by this app via Wireshark. Below is a screenshot from the Network Connections app running on BlueStacks showing the 360 Security connections that it was able to detect: From the Wireshark capture, following are the HTTP GET and GET response details for the IP addresses, along with their WHOIS links: 54.192.117.107: (http://ift.tt/2pfrdnW) 103.235.46.231: (http://ift.tt/2puzwIk) Subsequently, I closed BlueStacks and re-opened it again and monitored the 360 security app connections via Network Connections app and HTTP packets via WireShark. Below is a screenshot from the Network Connections app showing the 360 Security connections that it was able to detect this time: From the Wireshark capture, following are the HTTP GET and GET response details for the IP addresses, along with their WHOIS links: 54.192.117.89: (http://ift.tt/2pfxm3C) 52.74.202.248: (http://ift.tt/2pu8SiV) 112.80.248.28: (http://ift.tt/2pfoaMs) 103.235.46.231: (http://ift.tt/2puzwIk) As can be seen from the above screenshots from both the sessions the "lg=en&cn=us&vc=2284&uv=100&cid=104488&img_size=1&length=5&install_time=1494173731" string input as a parameter in the HTTP GET requests to update-cloud.i.360overseas.com IP addresses uniquely identifies the instance of 360 security app installed on the device and hence the device. So, anyone monitoring the insecure HTTP packets exchanged with update-cloud.i.360overseas.com IP addresses can easily track the IP addresses used by the device, which is a huge privacy risk. Also, the insecure HTTP packets exchanged with Baidu IP addresses in HongKong, bdimg.com IP addresses in China and update.i.360overseas.com IP addresses in Singapore expose the IP address used by the device as using the 360 security app, in those foreign countries. I think, this vulnerability deserves a CVE in the NVD database (http://ift.tt/2pukrqr). The Wireshark packet captures for both the sessions are attached below. Thanks. On Sun, May 7, 2017 at 03:42 AM, Craig Young wrote: I would advise running a packet capture to see what data is sent. http://ift.tt/21jBA43 (http://ift.tt/21jBA43) will let you do this from your device without root. -Craig On Thu, May 4, 2017, 5:10 PM seclists@email.tg (mailto:seclists@email.tg) wrote: I reinstalled the 360 security app on my phone to check the network connections it used & found via the Network Connections app that it did indeed use an insecure HTTP connection to exchange data with IP address 52.85.77.42 which is assigned to Amazon network(http://ift.tt/2qFbXO8 (http://ift.tt/2qFbXO8)). Attached is a screenshot from the network connections app showing this connection. From the 360 security app privacy policy page(http://ift.tt/2pEIDZz (http://ift.tt/2pEIDZz)) it can be seen that it uploads sensitive information about installed programs to a cloud security center. So, I am guessing that the above IP address corresponds to an Amazon cloud storage server. So, there is still a security hole in this App, where it may be transmitting sensitive system information via an unencrypted HTTP connection. Thanks.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment