I'm stealing API keys from your site - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

I have a dump of your prod DB - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

Using external libraries and application security

A "better safe than sorry" story inspired by a great medium post

whoami

Jacek Królikowski

 

@nietaki

Let's talk security

What's a vulnerability?

A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

What vulnerabilities we look for

  • Cross-Site Request Forgery
  • SQL injection
  • Denial of Service
  • infrastructure access control
  • ...just bugs in code

Let's talk about libraries

Adopting a library

What did you do, David?!

  • The Github code looked clean
  • The hex package contained extra code with an exploit
  • David didn't check his deps/
  • The exploit didn't activate outside of prod
  • The exploit gave the attacker control over the app

Isn't that easy to detect?

  • No extra exported functions
  • No performance penalty
  • Nothing in the logs
  • No extra named processes / supervision trees
  • Doesn't happen in dev/test
  • Doesn't happen during your working hours (!)

Why I think this is important

(trust, but verify)

Are we screwed?!

not necessarily... 

Where is the problem?

What can we do?

  • Stop using external libraries 👎👎👎
  • Regularly read all our dependencies 👎👎
  • Get dependencies directly from git 👎
  • Force hex.pm to do the verification for us 👎
  • "Impound" all your dependencies 😐
  • Static analysis of dependencies 😶
  • Something else? 🤔

$$ \stackrel{?}{=} $$

Introducing...

What does Hoplon do?

Reads project's dependencies (mix.lock, mix.exs)

For each dependency:

  • Queries hex.pm to see where the code lives
  • Clones the repository with the code
  • Finds the relevant commit (tags, heuristics)
  • diffs deps/<dependency> with the repo contents
  • parses and validates the diffs

Hoplon tasks

  • $ mix hoplon.check
  • $ mix hoplon.diff <dependency>
  • $ mix hoplon.absolve <dependency> <comment>

Let's see it in action

What's the catch?

  • No Windows support
  • Brand new project - might be fragile
  • outstanding features
    • umbrella projects support
    • locking down github urls
    • recognising "hidden" branches
    • ...
  • ...but we already use it 

Thank you!

Bonus ⬇

Bonus: anatomy of the exploit

  • Spawning evil in a separate process
    • making sure there's only one
  • Checking if there's anyone looking
  • Fetching and compiling payload
    • Only do it on new payloads
  • All potentially failing code wrapped in a try..rescue for stealth

Links

I’m stealing API keys from your site. Here’s how.

By Jacek Królikowski

I’m stealing API keys from your site. Here’s how.

Clickbait, fear-mongering and plagiarism with some very practical take-aways.

  • 4,435