Video chats and online meeting platforms are popular now. And, of course, they become interesting for hackers. But is it possible to hack these systems without any deep knowledge about WebRTC and custom protocols? Simple answer: yes.
There are several great teams (like Google Project Zero) and researchers, who check protocols and open-source implementations. And there are a lot of mobile, desktop, and web applications from different companies and vendors, which use different implementations of audio and video communications: from chats for funny talks to encrypted enterprise systems and professional communications.
Aleksandr research focuses on the middle layout of some popular apps and systems: a part of the system, that is used to connect core libraries and UI (Web, Mobile, or desktop). And found interesting different logical issues, that allow to intercept calls, start calls without interaction with a user, and get private user’s information.
During this talk Aleksandr will show several real-life cases:
* A vulnerability in social network allowed to modify an invitation link to video chat and use CSRF to start a video call without permission from the user.
* A vulnerability in a messenger allowed to use an insecure behavior of URL scheme and start a call without permission from the user.
* A vulnerability in a mobile messenger allowed to get private information of a user (First and second name, phone number, and email) after visiting a specially created page.
* Insecure popular default configuration in open-source videocall system allowed to create a parallel call and overhear a user.
The main idea of this research is to show that different applications and systems may be created with secure video call protocols and libraries, but still have logical issues, that allow performing effective attacks.
About the speaker:
Aleksandr Kolchanov is an security researcher and consultant. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering. Speaker at PHDays 2018 and 2019, c0c0n 2018, DeepSec 2018 and 2019, HiTB 2019, Infosec in the City 2019, OzSecCon 2019, Hacktivity 2019, No cON Name 2019 and BSides.