Cloud-AI - cloud artificial intelligence found 10 LinkedIn vulnerabilities
In 2015, the CloudSek project team set out to develop an artificial intelligence system that can interact with the Internet as a reasonable person. The first prototype of the system was presented to the public in March 2016 at the NullCon conference. Since then, there have been several breakthrough discoveries in the project, which we want to talk about today.
People(in fact, not all) understand what to do on the site or in a mobile application, based on previous experience and with the help of visual cues. We understand where the “button” is by the inscription on it, by its shape and even by the size and color of objects. Computer systems of the old type do not use the previous experience in solving new problems. This challenge was taken by developers from CloudSek. They have developed a system based on artificial intelligence, which moves around websites as a person developing by their own experience.
')
In CloudSek, teaching with partial involvement of a teacher (Semi-supervised learning) is used - for a part of precedents a pair of “situation, required solution” is set, and for a part - only “situation”. People have created a huge number of ways and designations of mechanisms for interacting with web interfaces. This data is used to train the Cloud-AI system from CloudSek, as long as the model does not independently perform the necessary tasks successfully. This approach helps to cope with difficult situations. Training with reinforcement with signals only from the interaction environment (reinforcement learning), and not from the teacher, as in CloudSek, would be less effective in terms of time costs in solving such problems. After 14 months of training in placing tags on various options for web interfaces and creating a control dataset, the project team obtained amazing results.
Cloud-AI successfully recognizes and classifies input forms, buttons, and reference navigation with minimal error. With Cloud-AI, you can effectively interact with mobile, web, or almost any application that uses a graphical user interface.
In 2015, Amazon released Amazon Echo, a personal assistant with artificial intelligence, who can hear, understand, and answer any question. Google is already testing cars on autopilot in several cities. Companies create technologies that help people in their daily activities. CloudSek uses artificial intelligence to create agents that can navigate the Internet and perform complex, but boring and time-consuming tasks.
The idea of ​​automating web tasks is nothing new. However, an evolving automated system that can interact and navigate through any user interface on the network is something completely different, and the game is worth the candle. Amazon Echo can place an order for you through the Amazon Shopping Portal. But Echo is not able to order a product for you through Alibaba or another service with an API unknown to it. In the future, we will be able to use Cloud-AI to order anything anywhere via the Internet and perform other complex tasks, saving time.
Cloud-AI is fast and accurate, it is used by CloudSek to create x-Vigil and CloudMon products.
CloudSek uses Cloud-AI as an automated monitoring of the security of web applications and cloud infrastructure instead of manual testing, while increasing the potential of the system after each test.
Insecure Direct Object References were one of the most prominent security issues on Facebook. Applications often use the real name or object key when creating web pages, not always performing a user authorization check for the target action. This creates an application security breach.
For example, the function of deleting an account:
Attacking
CloudSek has used Cloud-AI to interact with many popular and modern web applications for automated vulnerability testing. The main target was insecure direct object links. Among the platforms tested was LinkedIn, chosen because of its popularity and simplicity of the interface.
The project team discovered 10 vulnerabilities through insecure direct object links on LinkedIn. These bugs would be very difficult to find manually and almost impossible with the help of traditional automated tools. The LinkedIn team has been notified of these vulnerabilities. Here are a few already corrected:
Although all the bugs were pretty simple, it took a lot of effort to find them. Cloud-AI filled out numerous user forms and followed behavioral patterns to exploit vulnerabilities. Such vulnerabilities are often overlooked by existing automated tools and manual testing.
There is an opportunity for recruiters to share contacts of selected candidates with other hiring managers. The request below will send the candidate profile to another user. Changing the id value in the request for the victim's id allows you to receive an email for this id.
To find this request, Cloud-AI successfully completed several actions:
a) Logged in on LinkedIn;
b) Reached links to share the summary;
c) Opened the correct form to fill out;
d) I wrote a message and pressed the required button to confirm.
Cloud-AI independently fills in the required forms.
The response contained the email addresses of other users.
Other bugs are relatively similar. It is important that Cloud-AI successfully performed a chain of actions with a graphical interface to achieve vulnerability.
Changing memberIds in the next query allows the attacker to view the victim’s resume.
Only people who were looking for work through LinkedIn were vulnerable. Therefore, this did not affect all users.
A request to remove all invitations on LinkedIn by changing the request-id.
A request that downloads subtitles (transcripts) of all videos without any authentication.
After receiving a message about the found vulnerabilities, the LinkedIn team eliminated them within 24 hours. Therefore, all the described opportunities for hacking should be read in the past tense.
All data received by Cloud-AI was passed through a proxy server, which parsed the HTTP request by variables. Sending requests with variables changed in the mutation module made it possible to find security problems. Before notifying the developers of LinkedIn, the CloudSek team manually checked the found vulnerabilities.
The system module, which acts as a proxy server and performs mutations, is now in the public domain .
Cloud-AI is gathering more and more information about how people interact with web interfaces. This allows the team to configure the system for more complex actions. The plans include the integration of learning opportunities with reinforcement signals from the interaction environment (reinforcement learning). This will achieve the maximum number of actions that Cloud-AI can perform as a regular user.
An API is also expected to appear, allowing everyone to automate their tasks using Cloud-AI. We must remember that new technologies do not come without dangers. Cloud-AI can be a dangerous weapon if it falls into the wrong hands.
Cloud-AI from CloudSek
People
')
In CloudSek, teaching with partial involvement of a teacher (Semi-supervised learning) is used - for a part of precedents a pair of “situation, required solution” is set, and for a part - only “situation”. People have created a huge number of ways and designations of mechanisms for interacting with web interfaces. This data is used to train the Cloud-AI system from CloudSek, as long as the model does not independently perform the necessary tasks successfully. This approach helps to cope with difficult situations. Training with reinforcement with signals only from the interaction environment (reinforcement learning), and not from the teacher, as in CloudSek, would be less effective in terms of time costs in solving such problems. After 14 months of training in placing tags on various options for web interfaces and creating a control dataset, the project team obtained amazing results.
Cloud-AI successfully recognizes and classifies input forms, buttons, and reference navigation with minimal error. With Cloud-AI, you can effectively interact with mobile, web, or almost any application that uses a graphical user interface.
Introduction
In 2015, Amazon released Amazon Echo, a personal assistant with artificial intelligence, who can hear, understand, and answer any question. Google is already testing cars on autopilot in several cities. Companies create technologies that help people in their daily activities. CloudSek uses artificial intelligence to create agents that can navigate the Internet and perform complex, but boring and time-consuming tasks.
The idea of ​​automating web tasks is nothing new. However, an evolving automated system that can interact and navigate through any user interface on the network is something completely different, and the game is worth the candle. Amazon Echo can place an order for you through the Amazon Shopping Portal. But Echo is not able to order a product for you through Alibaba or another service with an API unknown to it. In the future, we will be able to use Cloud-AI to order anything anywhere via the Internet and perform other complex tasks, saving time.
Cloud-AI is fast and accurate, it is used by CloudSek to create x-Vigil and CloudMon products.
- x-Vigil scans various Internet resources, social media platforms and forums, recognizing a wide range of information security threats and alerting them in real time without manual intervention.
- CloudMon monitors Internet infrastructure insecurity (cloud applications, websites) in order to identify critical security issues.
CloudSek uses Cloud-AI as an automated monitoring of the security of web applications and cloud infrastructure instead of manual testing, while increasing the potential of the system after each test.
Cloud-AI: Cases and Results in the Field of Information Security Applications
Insecure Direct Object References were one of the most prominent security issues on Facebook. Applications often use the real name or object key when creating web pages, not always performing a user authorization check for the target action. This creates an application security breach.
For example, the function of deleting an account:
http://domain.com/delete-account.php?userid=5555 Attacking
User-id = 5555 , easily replaced by the victim's User-id value to detect such vulnerabilities. The task of finding such known security errors is difficult for an automated tool due to the inaccessibility of the target action. The reason for this is the need for multi-step interaction with the interface. Manual testing of each such bug takes a lot of time.CloudSek has used Cloud-AI to interact with many popular and modern web applications for automated vulnerability testing. The main target was insecure direct object links. Among the platforms tested was LinkedIn, chosen because of its popularity and simplicity of the interface.
LinkedIn Data Leak Testing
The project team discovered 10 vulnerabilities through insecure direct object links on LinkedIn. These bugs would be very difficult to find manually and almost impossible with the help of traditional automated tools. The LinkedIn team has been notified of these vulnerabilities. Here are a few already corrected:
- Email leak for any user id.
- Leaked email users, phone numbers and resumes.
- Delete all user prompts.
- Download subtitles to all videos in the Lynda online course library.
- Download all exercise files without buying a premium Lynda account.
Although all the bugs were pretty simple, it took a lot of effort to find them. Cloud-AI filled out numerous user forms and followed behavioral patterns to exploit vulnerabilities. Such vulnerabilities are often overlooked by existing automated tools and manual testing.
1) Email leak for any user id
There is an opportunity for recruiters to share contacts of selected candidates with other hiring managers. The request below will send the candidate profile to another user. Changing the id value in the request for the victim's id allows you to receive an email for this id.
POST /cap/candidate/forwardProfilesAjax HTTP/1.1 Host: www.linkedin.com csrfToken=ajax&newHiringManagerMemberIds=&forwardTo=&msgBody=Hello&_action_forwardProfilesAjax&projectId=&memberIds=[Victim ID] To find this request, Cloud-AI successfully completed several actions:
a) Logged in on LinkedIn;
b) Reached links to share the summary;
c) Opened the correct form to fill out;
d) I wrote a message and pressed the required button to confirm.
Cloud-AI independently fills in the required forms.
The response contained the email addresses of other users.
Leakage of names and email addresses of victims
Other bugs are relatively similar. It is important that Cloud-AI successfully performed a chain of actions with a graphical interface to achieve vulnerability.
2) Leak email users, phone numbers and resumes
Changing memberIds in the next query allows the attacker to view the victim’s resume.
GET /cap/applicant/profileExportPdf?trackingSearchId=[id]&memberIds=[Victim IDs] Only people who were looking for work through LinkedIn were vulnerable. Therefore, this did not affect all users.
3) Delete all user prompts
A request to remove all invitations on LinkedIn by changing the request-id.
POST /people/invites/withdraw?isInvite=true HTTP/1.1 Host: www.linkedin.com Connection: close csrfToken=[]&Ids={victims request-id } 4) Download subtitles to all videos in the Lynda online course library.
A request that downloads subtitles (transcripts) of all videos without any authentication.
GET /ajax/player/transcript?courseId=496475&videoId=509328 5) Download all exercise files without buying a premium Lynda account.
GET /ajax/course/518763/download/exercise/543328 After receiving a message about the found vulnerabilities, the LinkedIn team eliminated them within 24 hours. Therefore, all the described opportunities for hacking should be read in the past tense.
Method and OpenSource code
HTTP mutation module
All data received by Cloud-AI was passed through a proxy server, which parsed the HTTP request by variables. Sending requests with variables changed in the mutation module made it possible to find security problems. Before notifying the developers of LinkedIn, the CloudSek team manually checked the found vulnerabilities.
The system module, which acts as a proxy server and performs mutations, is now in the public domain .
Future Cloud-AI
Cloud-AI is gathering more and more information about how people interact with web interfaces. This allows the team to configure the system for more complex actions. The plans include the integration of learning opportunities with reinforcement signals from the interaction environment (reinforcement learning). This will achieve the maximum number of actions that Cloud-AI can perform as a regular user.
An API is also expected to appear, allowing everyone to automate their tasks using Cloud-AI. We must remember that new technologies do not come without dangers. Cloud-AI can be a dangerous weapon if it falls into the wrong hands.
Source: https://habr.com/ru/post/326212/
All Articles