Test automation goes rogue

Posted: 23.10.2010 in Security, Uncategorized
Tags: , ,

Test automation tools are much like the hunting gun. You have real uses for it, but you can use it to do nasty things. This blog is about Skype but same kind of issues can be at any other application.

Let’s imagine that I’m evil h4x0r and I’d want to find new ways to extend my bot network. Everyone has become more and more careful with e-mail attachments so spamming is not the option anymore. Let’s take a quick look at Skype. Could we use it to automate our malware distribution? If I tried to register 1 million new user from web page, I’d have to give correct Captcha for each one of them. But if I do registration thru the Skype, the registration screen is shown below. No Captcha. When I registered, I also noticed there isn’t any e-mail confirmation.

If I already have small bot network, I can use those weaknesses to register plenty of Skype users. Easiest way to do that is to use automation. My proof of concept was done with AutoIT which is free test automation library. If the desktop application doesn’t have same bot-prevention systems as web application, small automation script can create new users. If you are able to create users, you are also able to do any other task. So my bot could start to call to people, start to add contacts, send files and so on. Chat could start with:”Hello. I am Jack Nicholson from Skype security contact.  We have noticed that you have major security risk which can be fixed by installing the patch which I’m going to send you.”

Skype has two major security related failures at registration thru the application:

  1. No Captcha which would have prevented automated guessing.
  2. No e-mail confirmation. Confirmation would have required exploiting the weaknesses of some free e-mail service.

Those two steps would increase the cost a lot and simple few hours bot coding wouldn’t be enough. I reported these as security issue to Skype at mid-July.

And how short the script is which creates the new user? Well… Here is my full proof of concept. It works only at my laptop and machines with same resolution and other visual settings. The attacker can make the script more generic with some work.

Run("C:\Program Files\Skype\Phone\skype.exe")
Sleep(5000)

MouseClick("left", 628, 437)
WinWaitActive("Skype™ - Luo tili")
Send("Evil Robot")
MouseClick("left", 500,501);
Sleep(500)
Send("q1w2e3")
MouseClick("left",794,496)
Sleep(500)
Send("q1w2e3");
MouseClick("left",485,549)
Sleep(500)
Send("something@kiva-mesta.net")
MouseClick("left",778,549)
Sleep(500)
Send("something@kiva-mesta.net")
Sleep(500)
MouseClick("left",1051,678)
Advertisements
Comments
  1. @Teme,

    Good blog post. There are many Desktop applications where there is no captcha which is a cool vulnerability and attackers love it 🙂

    When I registered for Skype I was wondering that why I did not receive any confirmation e-mail and I thoughts may be SMTP server is busy. But, later I figured out that there is no e-mail confirmation needed LOL. Now, an attacker could even use fake profiles of other end-users.

    May be Skype has got many millions of end-users but there might be thousands of them moving away when they figure out such vulnerabilities. I hope Skype takes this vulnerability seriously and fixes it soon so that the attackers do not misuse to bring down Skype or harm Skype or harm it’s end-users.

    Thanks,
    Santhosh Shivanand Tuppad

    • Teme says:

      Unfortunately they don’t seem to be interested from fixing that. They labeled my report to feature enhancement instead of bug. And new features are slow to implement and always the bug fixes goes to first in queue.

      So it is still vulnerable. I tried it today.

  2. Aditya Kalra says:

    Hi Teme,

    I like your post and the way you have explained the vulnerabilities of Captcha.

    This surely makes it a candidate on my blog which has the best articles and posts across the web.

    Do mail me at aditya_kalra@ymail.com and let me know if it is fine i add this to my blog.

    My blog: http://go-gaga-over-testing.blogspot.com/

    Best Regards,
    Aditya Kalra

  3. Yes, it is a potential risk to Skype. I still wonder how Skype can be less reactive to this issue to consider this as feature enhancement rather claiming as high priority bug. Are they not bothered as how we bothered to investigate on Skype vulnerability?

    @Teme has plunged the security issue, we now have to quit until Skype turns to teme to find out other vulnerabilities of skype, when they badly get affected of bots. Nice post Teme.

    Regards,
    Shiva Mathivanan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s