When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure!
Your privacy on the internet is the biggest concern ever and when it comes to “Dating websites” and “Social Networks” it means more and more!
Let me tell you a story of two websites that don’t respect yours and putting it on danger…
Badoo is a dating-focused social networking service, founded in 2006 and headquarters in Soho, London. The site operates in 180 countries and is most popular in Latin America, Spain, Italy and France. Badoo ranks as the 281st most popular website in the world, according to Alexa Internet as of April 2014. The site operates on a freemium model. To gain extra features, a user can pay a fee or allow Badoo to email all his/her friends.
Hot or Not is a rating site that allows users to rate the attractiveness of photos submitted voluntarily by others. The site offers a matchmaking engine called ‘Meet Me’ and an extended profile feature called “Hotlists”. The domain hotornot.com is currently owned by Hot Or Not Limited, and was previously owned by Avid Life Media. ‘Hot or Not’ was a significant influence on the people who went on to create the social media sites Facebook and YouTube.
People are concerned about their privacy that’s why they’re using proxies, VPNs and other privacy solutions to keep themselves safe from specific attacks and surveillance issues (for the same reasons websites are using HTTPS). Using these solutions won’t keep you 100% safe when these websites/services/apps fails to protect its users from vulnerabilities that leads to malicious activities!
Unmasking and de-anonymizing online users is a popular techniques used by Hackers to identify their pre-targeted victims (this kind of techniques helps in online blackmailing and extortion).
Badoo.com and HotOrNot.com started their own public bug bounty program on HackerOne platform rewarding security researchers for responsibly reporting security/privacy bugs that would impact its users!
On Apr 13th, Seekurity team reported a bug which discloses the logged in users of Badoo.com and Hotornot.com websites but first let’s clarify why we consider this behaviour as a security issue?
When other websites have the ability to disclose your identity of a specific website/service in-theory this is a security issue! That’s why the world made a lot of effort paying attention to privacy and security and that’s clear when we hear about some browser based protection mechanisms like (Same Origin Policy and Cross-Origin Resource Sharing).
Requesting this url while you’re logged in on Badoo.com or Notornot.com “https://eu1.badoo.com/worker-scope/chrome-service-worker.js?ws=1” or “https://hotornot.com/worker-scope/chrome-service-worker.js?ws=1” will disclose your user id, You will notice that file is dynamically rewritten and edited to reflect the currently logged in user’s ID (user_id)
A service worker is a script that is run by your browser in the background, separate from a web page, opening the door to features which don’t need a web page or user interaction. Today, they already include features like push notifications and in the future it will include other things like, background sync, or geofencing. The core feature discussed in this tutorial is the ability to intercept and handle network requests, including programmatically managing a cache of responses.
But as a developer you’re free to customise the source code to match your needs, In our case it’s obvious that Badoo and HotOrNot developers did a big mistake by inserting the current user id which linked to the current user session cookie (missing best practise)!
An external domain can include that script url and read it’s content by calling this proof of concept code:
We’ve created a PoC you can find it here: Click here to reveal your badoo.com id (you have to be logged in)
The Impact and attack scenario:
Any popular website can embed the PoC code will be able to achieve one of these endless impacts:
1. Personalized Ads targeting (rouge ads campaigns).
2. Information/Privacy disclosure (unmasking current badoo user).
3. Phishing/Targeted attacks (gathering a trusted information about the current user and retargeting him/her later, If the user is “blah” then BeEF OR Metasploit browser_autopwn attack).
Badoo privacy VS Vulnerabilities:
Does Badoo disclose my information to other parties?
We may share aggregated information with such parties as Foursquare that includes your personal information (but which doesn’t identify you directly), together with other information including log data with third parties for industry analysis and demographic profiling and to deliver targeted advertising about other products and services.
In particular, in relation to targeted advertising, we use third-party advertising companies to serve ads when you visit our Website. These companies may use information about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, please visit this page.
Badoo also wishes to maintain a healthy community, and we will cooperate with all law enforcement inquiries and with all third parties to enforce their intellectual property or other rights. We may also disclose your personal information to government or law enforcement agencies, or private parties, as required by law when/or, in our sole discretion, we believe that disclosure is necessary to protect our legal rights, or those of third parties and/or to comply with a judicial proceeding, court order, or legal process served on us.
In the event that Badoo or any of its affiliates undergoes a business transition or change of ownership, such as a merger, acquisition by another company, re-organisation, or sale of all or a portion of its assets, or in the event of insolvency or administration, we may be required to disclose your personal information.
Privacy Options that Badoo offers!
Although Badoo gives its user the ability to hide their online presence (ghosty accounts) but vulnerabilities still vulnerabilities!
“At Badoo we understand protecting your privacy is essential, so we have several settings in place to manage this.”
Report responses and timeline:
“It’s a feature not a bug”
The report closed as Not Applicable then I requested the public disclosure since it’s a feature not a (bug), The irony!
Thanks for reading, Till the next adventure!
Building a website? Or already built a one? Think twice before going public and let us protect your business!