Hacking chocolates and the security mindset

-
Who doesn’t like chocolate? I am a big fan of a Brazilian coffee/chocolate chain called Ychocolates (fictitious name). They produce good chocolates and serve good coffee as well. Recently they introduced a simple loyalty program: you buy products there and earn points for each purchase. After certain amount of points, you can redeem them and transform them into a delicious chocolate. It sounds simple and straightforward. To participate in this program the person needs to supply their name, an CPF (Brazilian identification number) and a phone number. 

Every time a person goes into one of their stores and buy something, they should supply their CPF and get the points. Once you inform your CPF the cashier (verbally) will tell you how many points you have earned so far. If you have the minimum amount of points for a reward, you can get a chocolate. I’ve noticed cashiers always inform the accumulated points to the customer. It seems to be part of a procedure. I personally used my points a few times. Basically, I bought a coffee, informed my CPF and the cashier told me I have over 75 points and If I would like to redeem them. 

That’s it. What is the issue here? The issue is cashiers never asked me to prove who I am. I could simple inform my CPF and redeem the points. A not well-intentioned person could simple goes to the store, buys something and stays around the people and the cashier, listening to them talking about CPF and how many points they have. He could take note on the CPF of the person and once he has it in hands, he could return to the store later, buy something (or not), inform this CPF and redeem the points. Done! A new piece of chocolate is available. 



Main intention of this post is not to call your attention to the vulnerabilities/controls found in this scenario but rather than that, the security mindset involved. A security mindset involves looking at the world with a different perspective. It is in a certain way the ability to think maliciously. Think how to cheat a system. Could this skill be taught? How this could be achieved? This skill is important for people who are designing things and of course, for security professionals as well. 
Bruce Schneier wrote an excellent article about it years ago. At the end, this was just another daily security mindset exercise! What vulnerabilities have you found today?

(PS: I've talked to the company and they are making sure controls will be enforced)

Comments

Post a Comment

Popular posts from this blog

The forgotten JBOSS Admin Console and CVE 2010-1871

-
Image
Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it. A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871 . This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc. I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interes
Read more

Man in the middle attack through a web shell

-
Hello all. Let’s talk today about Man in the middle attack . No, this isn’t a post talking about what it is and how to perform a MITM attack. The proposal of this blog is to share experience with you, then most of the posts (at least until now) are about things that happened in real environments. Recently performing a penetration testing it was possible to get a web shell through a combination of vulnerabilities.   That’s good… a web shell right? But how about to going deep and explore more of the environment? Yes, if you thought about reverse web shell you are right, but, in this case, I couldn’t establish an outbound connection (this is a subject for another post). I did a lot of things in such environment and one of the things done was a MITM attack through a web shell. Let’s go to some important details. First of all, it was a Windows box. There are some tools you can perform a MITM attack on Windows box such as Cain & Abel , but remember, we had a web shell and thi
Read more