TyphoonCon
  • About
    • About Us
    • Venue
    • Sponsorship
    • Press
    • Code Of Conduct
    • Contact
    • COVID-19 Regulations
    • Past events
      • TyphoonCon 2022
      • TyphoonCon Capture The Flag 2021
      • TyphoonCon Capture The Flag 2021 Write Ups
      • TyphoonCon 2020
      • TyphoonPWN 2020
      • TyphoonCon 2019
  • Conference
    • 2023 Speakers
    • Call for Papers 2023
  • Training
    • Introduction to hard target internals
    • Attacking the Linux Kernel
  • TyphoonPWN
BUY TICKETS

Presentation topic:

Video chats and online meeting platforms are popular now. And, of course, they become interesting for hackers. But is it possible to hack these systems without any deep knowledge about WebRTC and custom protocols? Simple answer: yes.  

There are several great teams (like Google Project Zero) and researchers, who check protocols and open-source implementations. And there are a lot of mobile, desktop, and web applications from different companies and vendors, which use different implementations of audio and video communications: from chats for funny talks to encrypted enterprise systems and professional communications. 

Aleksandr research focuses on the middle layout of some popular apps and systems: a part of the system, that is used to connect core libraries and UI (Web, Mobile, or desktop). And found interesting different logical issues, that allow to intercept calls, start calls without interaction with a user, and get private user’s information.

 During this talk Aleksandr will show several real-life cases:

 * A vulnerability in social network allowed to modify an invitation link to video chat and use CSRF to start a video call without permission from the user.

 * A vulnerability in a messenger allowed to use an insecure behavior of URL scheme and start a call without permission from the user.

 * A vulnerability in a mobile messenger allowed to get private information of a user (First and second name, phone number, and email) after visiting a specially created page.

 * Insecure popular default configuration in open-source videocall system allowed to create a parallel call and overhear a user.

 The main idea of this research is to show that different applications and systems may be created with secure video call protocols and libraries, but still have logical issues, that allow performing effective attacks.

About the speaker:

Aleksandr Kolchanov is an security researcher and consultant. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering. Speaker at PHDays 2018 and 2019, c0c0n 2018, DeepSec 2018 and 2019, HiTB 2019, Infosec in the City 2019, OzSecCon 2019, Hacktivity 2019, No cON Name 2019 and BSides.

BUY TICKETS
  • Facebook
  • Twitter
  • Linkedin
  • Email