meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, September 4th 2018

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 4 September 2018

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Reversing Medium Mobile App;

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, September 4th, 2018 edition of the Santernat Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Amsterdam, Netherlands.

0:14.1

I'm teaching this week the defending web application class here in Amsterdam, and one point that came up today in class is that

0:22.9

really many mobile applications are just front ends for web services.

0:28.5

So not really surprising that some web application flaws make it into these mobile apps.

0:36.3

The latest example is the Android version of the mobile app

0:41.0

for Medium, the blogging platform. That does require a subscription for some of its stories,

0:49.3

but you're allowed to read a limited number of these stories for free. Now the problem is, how does the site actually know how many stories you read?

0:59.0

And apparently, that's just managed via cookies that are kept on declined.

1:05.0

In this case, also the mobile app.

1:07.0

Yuol Sprintz at Hacker Noon wrote up how he reversed the medium mobile app to figure out

1:14.8

how they're tracking their stories and how he actually then modified the mobile app,

1:20.0

recompiled it, and essentially created a mobile app that would allow him to read unlimited

1:25.9

stories. Probably not diverse that can be done with this particular technique.

1:30.3

I believe the medium is charging something like $5 a month for a full subscription.

1:36.3

But it really illustrates nicely this problem in a lot of mobile apps

1:41.3

that do not really take into account that they're still dealing with data

1:45.6

coming from the user using a device that the user controls, and with that the user in the end

1:53.1

controls all requests being sent by this device.

1:58.7

And sticking with learning from the attacker here for a bit more at Black Hills Infosec.

2:07.1

We do have a great blog post by Mike Felch and appears to be the first in a series of blog posts about red teaming Microsoft, particular how to use active directory in particular

2:19.9

if it is linked to Asia in order to for example attack internal networks lots of stuff

2:27.8

in this blog post really way too much to do it justice here in my brief podcast. But for example, one little tip here that I found

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.