The Black Hat USA 2018 provided us with lots of interesting stories, experiments, discoveries, and reports from various participants. But, never did we think that the conference itself will become news for us – that too – with regards to a cybersecurity problem. Recently, a researcher discovered that a leaky API exposed details of Black Hat USA attendees online. After his report, officials patched the flaw.
Black Hat USA Attendees Records Leaked Online
A security researcher and penetration tester, NinjaStyle, made a peculiar discovery which he disclosed a couple of days ago in his blog. According to him, he succeeded in pulling out the data of Black Hat USA attendees due to leaky API.
The researcher accidentally found this problem while at the conference. He noticed something strange with the badge he was wearing with an NFC tag.
“During training at BlackHat this year I was getting frustrated with my badge and lanyard making noise around my neck in training, so I took it off and set it down on the table next to me. Later I set my phone on top of it and saw a notification to read the NFC tag.”
The NFC tags were worn by all the conference attendees. The vendors in the Business Hall scanned the cards to collect data about the wearer for marketing purposes. This included the names, email addresses, company names, job titles, and contact numbers.
After receiving notification for tag reading on his mobile, he downloaded tag reader and found some scrambled details. Out of curiosity, after a few days, he again went on to download the BCard APK. He then decompiled the BCard app and found an API endpoint in the code, which he later exploited to pull out his data.
“To my surprise, I was able to pull my attendee data completely unauthenticated over this API.”
Afterward, he decided to see if he can get some more records through the API. So he began brute forcing all attendees by making educated guesses about the number of attempts he would need. After a few attempts, he succeeded in extracting the data.
“The rate at which we were able to brute force the API would mean that we could successfully collect all BlackHat 2018 registered attendees’ names, email addresses, company names, phone numbers, and addresses in only approximately 6 hours.”
The Leaky API Is Now Fixed
After confirming his discovery, NinjaStyle approached the ITN team to report the matter. Initially, he faced difficulties contacting them. However, later, he succeeded to make contact and inform them of the flaw. Officials patched the flaw “within 24 hours of initial contact”.
Interestingly, when the researcher disclosed his discovery on his Twitter handle, he also gave a pro tip for the future.
Protip that I failed to do this year: Register for BlackHat with fake info, use a burner email and provide as little data as possible in registration.
— NinjaStyle (@NinjaStyle82) August 21, 2018
Certainly, the appearance of such incidences at highly sensitive events like Black Hat, which specifically attracts cybersecurity experts, vendors, and even law enforcement agencies is quite embarrassing. Maybe next time, many attendees will consider using fake profile information (at least, to carry on the badge) .
Let us know what you think in the comments section.