The aim of this blog is to provide the following:
- An in-depth exploration of how BeVigil, the world's first security search engine for mobile apps, can significantly simplify and enhance the workflow of Bug Bounty Hunters, Android app security researchers, and OSINT enthusiasts.
- With BeVigil, security researchers can leverage the extensive indexing of millions of Android apps, enabling them to rapidly and efficiently identify security vulnerabilities, secrets, exposed APIs, and much more, gaining visibility over a huge but vastly un-explored attack surface.
- Functionality-rich BeVigil OSINT API and CLI streamlines the security vulnerability identification process and provides a reliable, efficient, and comprehensive platform for security researchers to automate, enrich and optimize their workflows. This can help researchers make more informed decisions than blindly running automated tools to find vulnerabilities.
General Workflow of Bug Bounty Researchers
To better understand the process of a bug bounty researcher, let us take a moment to explore the general workflow.
While this process may suit some researchers, it can be inefficient and time-consuming. This approach requires extensive training to identify even basic vulnerabilities and often fails to uncover high-impact bugs that could potentially yield significant bounties. As such, a more streamlined and efficient workflow is necessary to maximize the potential rewards of bug bounty programs.
BeVigil’s Simplified Approach for Bug Bounty Researchers
Now, let us take a closer look at how BeVigil can significantly simplify and enhance the workflow of bug bounty researchers. With BeVigil's innovative approach, researchers can leverage a straightforward workflow that requires fewer steps to identify vulnerabilities and earn bounties.
Some of the features that BeVigil offers and the benefits it can provide for researchers:
- With BeVigil, researchers can easily search through millions of indexed apps or scan apps instantly using a Play Store link. Researchers can even upload an app manually for analysis.
- BeVigil provides instant app score checks, allowing researchers to quickly assess the security of an app and identify potential vulnerabilities.
- Researchers can leverage BeVigil's advanced capabilities to identify security vulnerabilities and 250+ exposed API secrets in apps.
- BeVigil also offers the ability to generate detailed security reports with comprehensive insights into the security posture of an app.
Step-by-Step Guide to Detecting Bugs with BeVigil
Step 1. Let's work through one of the leading bug bounty platforms known as HackerOne but the overall process would remain the same. There are several companies with Android apps listed on HackerOne. As you can see when we selected the options Android: Playstore or Android:.apk, numerous applications from different companies appear on the search list. We choose “Urban” as an example.
Step 2. Next, go on to BeVigil and search for apps you want to research. For example, we looked for “Urban Company” as it has an active bug bounty program we saw above.
Step 3. On this page, you can find the overall security score that would highlight how vulnerable the app could be, a list of exposed secret keys, and a few other different sections for different issue types on the left of the page. As a security researcher, you may be more interested in looking into the “Vulnerabilities”, “Strings” and Assets” sections as they often have juicy information.
- The Vulnerabilities section in BeVigil provides a comprehensive overview of the different types of vulnerabilities detected. As a researcher, you can easily explore each vulnerability in-depth and determine its potential impacts.
- The Strings section in BeVigil provides a list of all the interesting secrets, API keys such as (AWS secrets, Shopify keys, GitHub keys, Facebook keys, etc.) and tokens such as JWT, etc. After collecting those secrets, you can find security impacts.
- The Assets section shows exposed IP addresses, file paths, hostnames, and other interesting endpoint details.
Step 4. After discovering an issue, we should try chaining them to find more impactful ones and report them to the right organizations. For instance, if we come across a Firebase URL, we should dig deeper to determine whether it is accessible for reading or writing. Moreover, we should examine whether it is revealing confidential data such as client or payment details. By taking this comprehensive approach, we can create a more impactful report and potentially earn a higher bounty for our efforts.
Different Approaches for Bug Bounty Researchers
1. Using Firebase URL to Uncover PII: Firebase is a set of hosting services for any type of application. It offers NoSQL and real-time hosting of databases. By appending /.json to the Firebase URL, you can effortlessly determine whether the Firebase database is vulnerable to read/write operations or both.
According to our recent research, BeVigil has identified over 20,000 Firebase URLs with read access to the Firebase database most of which contained sensitive information.
2. Shopify API Key Leak: Shopify, an e-commerce platform for online stores, provides several types of tokens that can be used for development. In our latest report, 21 apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing the personally identifiable information (PII) of 4 million users/customers to potential threats.
In this example, BeVigil identified a well-known Indian e-commerce brand exposing Shopify keys with sensitive permissions.
The e-commerce store revealed personally identifiable information (PII) such as the name, email, domain, address, and phone of more than 1 million customers.
Read more about this issue in this report: https://bevigil.com/blog/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens/
3. Amazon S3 URLs: Amazon S3 is an object storage service that stores data as objects within buckets. However, during a recent research study, one of our researchers discovered that a particular Amazon S3 URL was hardcoded in the source code of a mobile app. As a result, this URL was easily readable, leading to the exposure of sensitive customer data.
Read more about this issue in this report:: Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data
4. Heroku App URL: Using BeVigil, our researchers found Heroku App URLs in the source code of mobile applications which could lead to subdomain takeover.
It appears that the domain is no longer operational, so it is now available for anyone to take over. In fact, our researchers were able to successfully take over the subdomain in question.
5. GitHub Personal Access Token: A GitHub Personal Access Token (PAT) is a type of authentication token that allows users to access their GitHub account and perform various actions programmatically via the GitHub API. Software developers hardcode GitHub Personal Access Tokens that could potentially expose private repositories on GitHub.
Our researchers were able to check the token’s scopes which led us to believe anyone with access to the PAT can access any private repository within the organization.
Read more about this issue in this report:: Hardcoded GitHub Personal Access Tokens Leak 159 Private Repositories
6. Twitter API Keys: Using BeVigil, our researchers discovered that some mobile applications' source code contained hardcoded Twitter API keys. This potentially led to a Twitter account takeover, as these API keys can be exploited to gain unauthorized access to a user's Twitter account.
Read more about this issue in this report: https://cloudsek.com/whitepapers-reports/how-leaked-twitter-api-keys-can-be-used-to-build-a-bot-army
7. AWS Access Key and Secret Key: AWS Access Key and Secret Key are critical components of an organization's infrastructure. Anyone who gains access to these keys can potentially gain access to the entire company's infrastructure.
During our investigation on BeVigil, we discovered that these AWS keys had access to multiple AWS services, including ACM (Certificate Manager), ElasticBeanstalk, Kinesis, OpsWorks, and S3. Our focus was on S3, and upon further analysis, we found that the AWS credentials had read/write access to a total of 88 S3 buckets.
The implications of this exposure were significant, as these 88 buckets contained a staggering 10,073,444 files, amounting to a total of 5.5 Terabytes of data being exposed.
These S3 buckets were initially deployed to host various files and data generated from projects. Upon further investigation, our team discovered that these buckets contained a wide range of sensitive data, including application source code, backup files, user reports, test artifacts, user uploads, logs, WordPress backups, user certificates, config files, credential files, and more.
The exposure of such data can have serious implications, as it can provide attackers with access to additional credentials such as database hostnames, passwords, and tokens, allowing them to potentially branch out into the running infrastructure and carry out further attacks.
The researchers were further able to access the database using the plain text password mentioned in the database configuration file.
Read more about this issue in this report: Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data
8. Slack Webhook: Bug bounty hunters can look for Slack webhooks which can make any threat actor send malicious messages to discovered hooks, create a slack app, and allow public installation of the app.
9. Discovering Hardcoded Algolia API Key: Algolia’s API enables developers to implement search, discovery, and recommendations within websites, mobile, and voice applications. Misuse of the keys can result in reading and modifying user’s personal information, accessing IP addresses and other sensitive details. It is used by over 11,000 companies. CloudSEK researchers discovered 32 out of 1550 applications that had a total of 57 unique API keys.
Read more about this issue in this report: Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users’ Data
10. Hardcoded Email Service: In another recent report, our researchers discovered that 50% of the analyzed (600) apps, leaked API keys of three popular transactional and marketing email service providers - Mailgun, MailChimp, and Sendgrid. They could read, send & delete emails, get IP addresses, etc.
Read more about this issue in this report: https://cloudsek.com/whitepapers-reports/hardcoded-api-keys-of-email-marketing-services-puts-54m-mobile-app-users-at-risk
Step-by-Step Guide to BeVigil OSINT API
As mentioned in the introduction, BeVigil offers a comprehensive BeVigil OSINT tool for CLI, equipped with advanced features that simplify the process of identifying security vulnerabilities. This functionality-rich platform empowers users to automate and optimize their workflows, making vulnerability identification more efficient and effective. A free account gives you 50 credits to try the product without spending a dime.
List of commands that you can perform using CLI.
To get started, all you need to do is install the Python library from our GitHub repository and activate it by using the API Key found on your BeVigil account. It's a quick and easy process that will allow you to begin utilizing the full range of features offered by BeVigil.
S3 Buckets
To start, let’s query for S3 buckets using the Ubran company package name. The package name can be gathered from BeVigil or Play Store.
Now as a researcher, you just need to find misconfigured S3 buckets and gather what’s available on the buckets. You might look for sensitive information such as customer or client PII or payment details.
Host List
To request all the hostnames extracted from an android package, you can use the following command:
Once you have a list of hosts, you can start exploring internal domains or APIs to identify potential vulnerabilities. By chaining together multiple vulnerabilities, you can maximize the impact of your findings and better protect your system.
BeVigil OSINT API
Now you can integrate BeVigil’s OSINT API into your application by following our easy-to-set-up guide. You can further explore the BeVigil API at https://osint.bevigil.com/.
Summary
In this blog post, we explored how BeVigil can significantly enhance the capabilities of security researchers, allowing them to identify potential vulnerabilities and improve the overall security of mobile applications. With the vast array of features available in BeVigil, researchers have limitless opportunities to improve their research and uncover critical security issues.
References
- BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens
- Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users’ Data
- Hardcoded GitHub Personal Access Tokens Leak 159 Private Repositories
- Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data
- https://github.com/Bevigil/BeVigil-OSINT-CLI
- BeVigil OSINT API for CLI