RESEARCH | August 19, 2014

Silly Bugs That Can Compromise Your Social Media Life

A few months ago while I was playing with my smartphone, I decided to intercept traffic to see what it was sending. The first thing that caught my attention was the iOS Instagram app. For some reason, the app sent a request using a Facebook access token through an HTTP plain-text communication.

Here is the original request that I intercepted from the Instagram app:
 
POST /api/v1/fb/find/?include=extra_display_name HTTP/1.1
Host: instagram.com
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 337
Content-Type: multipart/form-data; boundary=Boundary+0xAbCdEfGbOuNdArY
Accept-Language: en;q=1, es-MX;q=0.9, fr;q=0.8, de;q=0.7, zh-Hans;q=0.6, zh-Hant;q=0.5
Cookie: ccode=AR; csrftoken=dab2c8d0c4fd28627ac9f2a77fa221d2; ds_user_id=1045525821; igfl=testlocura; is_starred_enabled=yes; mid=UuvAbgAAAAHj6L0tnOod5roiGYnr; sessionid=IGSC3aaf1427aa901bb052263b368642a34fe59897cba046682b7d95775ae70db64d%3AioaQSiHdJ61kCjuRaAD9sEJTEWXv6dqB%3A%7B%22_token%22%3A%221045525821%3Au91J1dZgsiJCBo0QVeF98nkohO0TV928%3A70d9eee5449941dc80fb238991e191f8f33cac5c98c1b078d86975b07979531d%22%2C%22last_refreshed%22%3A1392496331.661547%2C%22_auth_user_id%22%3A1045525821%2C%22_auth_user_backend%22%3A%22accounts.backends.CaseInsensitiveModelBackend%22%2C%22_platform%22%3A0%7D
Connection: keep-alive
User-Agent: Instagram 5.0.2 (iPhone5,3; iPhone OS 7_0_4; en_US; en) AppleWebKit/420+
 
–Boundary+0xAbCdEfGbOuNdArY
Content-Disposition: form-data; name=”fb_access_token”
 
CAABwzLixnjYBAE71ZAmnpZAaJeTcSqnPSSvjEZA0CqIokUOj60VkZCOhuZCy4dT6TlcG9OpbMIO7dJnGiROm7XFEnRj….
–Boundary+0xAbCdEfGbOuNdArY–

After a quick review, I determined that the request was sent when I clicked on the Facebook Friends button, which allows users to search for friends from their Facebook account.
 
As an aside, an access token is an opaque string that identifies a user, app, or page. It can be used to perform certain actions on behalf of the user or to access the user’s profile. Each access token is associated with a select set of permissions that allow users to perform actions, such as reading their wall, accessing friend profiles, and posting to their wall.
 
In this case, these permissions were granted to the access token:
  • installed
  • basic_info
  • public_profile
  • create_note
  • photo_upload
  • publish_actions
  • publish_checkins
  • publish_stream
  • status_update
  • share_item
  • video_upload
  • user_friends
Potential Risk
 
Sending a request using access token through a plain-text communication poses a potential risk. An attacker who can intercept the app’s traffic and acquire access tokens can gain access to Facebook user accounts and manipulate their walls and access personal information.
 
If you use Instagram on a public WiFi, then someone might access your Facebook account and hack it.
 
Conclusion
 
Third-party apps that use these access tokens to associate users with their Facebook accounts should take extra precautions to protect their integrity and confidentiality. This will help avoid potential risks of leaking user information. 
 
Instagram already fixed the vulnerability mentioned in this blog post. 
Ariel Sanchez
INSIGHTS | May 7, 2014

Glass Reflections in Pictures + OSINT = More Accurate Location

By Alejandro Hernández – @nitr0usmx

Disclaimer: The aim of this article is to help people to be more careful when taking pictures through windows because they might reveal their location inadvertently. The technique presented here might be used for many different purposes, such as to track down the location of the bad guys, to simply know in which hotel is that nice room or by some people, to follow the tracks of their favorite artist.
All of the pictures presented here were posted by the owners on Twitter. The tools and information used to determine the locations where the pictures were taken are all publically available on the Internet. No illegal actions were performed in the work presented here. 

 
 
Introduction
Travelling can be enriching and inspiring, especially if you’re in a place you haven’t been before. Whether on vacation or travelling for business, one of the first things that people usually do, including myself, after arriving in their hotel room, is turn on the lights (even if daylight is still coming through the windows), jump on the bed to feel how comfortable it is, walk to the window, and admire the view. If you like what you see, sometimes you grab your camera and take a picture, regardless of reflections in the window.
Without considering geolocation metadata [1] (if enabled), reflections could be a way to get more accurate information about where a picture was taken. How could one of glass’ optical properties [2], reflection, disclose your location? Continue reading.
Of course pictures taken from windows disclose location information such as the city and/or streets; however, people don’t always disclose the specific name of the place they’re standing. Here is where reflections could be useful.
Sometimes, not all of the time, but sometimes, reflections contain recognizable elements that with a little extra help, such as OSINT (Open Source Intelligence) [3], could reveal a more accurate location. The OSINT elements that I used include:
       Google Earth 3D Buildings (http://www.google.com/earth/)
       Google Maps (and Street View) (http://maps.google.com)
       Emporis (buildings information) (http://www.emporis.com)
       SkyscraperPage (buildings information) (http://skyscraperpage.com)
       Foursquare (pictures uploaded by people) (http://foursquare.com)
       TripAdvisor (pictures uploaded by people) (http://www.tripadvisor.com)
       Hotels’ Websites
       Google.com
In the following case studies, I’ll present step-by-step instructions for how to get more accurate information about where a picture was taken using reflections.
CASE #1 – Miami, FL
Searching for “hotel view” pictures on Twitter, I found this one from Scott Hoying (a member of Pentatonix, an a cappella group of five vocalists):
 
Looking at his previous tweet:
 
 We know he was in Miami, but, where exactly? Whether or not you’ve been to Miami, it’s difficult to recognize the buildings outside the window:
 
 So, I went to Wikipedia to get the name of every member of the band:
I looked for them on Twitter and Instagram. Only one other member had published a picture from what appeared to be the same hotel:
I was relatively easy to find that view with Google Earth:
However, from that perspective, there are three hotels:
So, it’s time to focus on the reflection elements present in the picture (same element reflected in different angles and the portraits) as well as the pattern in the bed cover:
Two great resources for reference pictures, in addition to hotels’ websites, are Foursquare and TripAdvisor (some people like to show where they’re staying). So, after a couple of minutes analyzing pictures of the three possible hotels, I finally found our reflected elements in pictures uploaded by people and on the hotel’s website itself:
After some minutes, we can conclude that the band stayed at the Epic Hotel and, perhaps, in a Water View suite:
 
 
CASE #2 – Vancouver, Canada
The following picture was posted by a friend of mine with the comment that she was ready for her talk at #XXXX2014 conference in #Vancouver. The easiest way to get her location would have been to look for the list of partnering hotels for speakers at XXXX2014 conference, but what if the name of the conference hadn’t been available?
Let’s take the longer but more interesting path, starting with only the knowledge that this picture was taken in Vancouver:
The square lamp reflected is pretty clear, isn’t it? ;-). First, let’s find that building in front. For that, you could go straight to Google Earth with the 3D buildings layout enabled, but I preferred to dive into Vancouver’s pictures in Emporis:
We’ve found it’s the Convention Centre (and its exact location evidently). Now, it’s easy to match the perspective from which the picture was taken using Google Earth’s 3D buildings layout:
We see it, but, where are we standing? Another useful OSINT resource I used was the SkyscraperPage of Vancouver, which shows us two options:
 
By clicking on each mark we can see more detailed information. According to this website, the one on the right is used only for offices and retail, but not for lodging: 
However, the other one seems to be our building:
A quick search leads us to the Fairmont Pacific Rim’s Website, where it’s easy to find pictures from inside the hotel:
The virtual tour for the Deluxe Room has exactly the same view:
Turn our virtual head to the left… and voilà, our square lamp:
Now, let’s find out how high up it is to where the picture was taken. Let’s view our hotel from the Convention Center’s perspective and estimate the floor:
From my perspective, it appears to be between the 17th and 20th floor, so I asked the person who took the picture to corroborate:
 
CASE #3 – Des Moines, IA – 1
An easy one, there are not many tall buildings in Des Moines, Iowa, so it was sort of easy to spot this one:
It seems that the building in front is a parking garage. The drapes look narrow and are white / pearl color. The fans on the rooftop were easy to locate on Google Maps:
And we could corroborate using the Street View feature:
We found it was the Des Moines Marriott Downtown. Looking for pictures on TripAdvisor we’ve found what it seems to be the same drapery:
Which floor? Let’s move our head and look towards the window where the picture was taken:
The 3D model also helps:
And… almost!
CASE #4 – Des Moines, IA – 2
Another easy case from the same hotel as the previous case. Look at the detailed reflections: the beds, the portraits, the TV, etc.
These were easy-to-spot elements using Foursquare and TripAdvisor:
Misc. Ideas / Further Research
While brainstorming with my friend Diego Madero about reflections, he suggested going deeper by including image processing to separate the reflections from the original picture. It’s definitely a good idea; however, it takes time to do this (as far as I know).
We also discussed the idea that you could use the information disclosed in reflections to develop a profile of an individual. For example, if the person called room service (plates and bottles reflected), what brand of laptop they are using (logo reflected), or whether they are storing something in the safe (if it’s closed or there’s an indicator like an LED perhaps).
Conclusion
Clear and simple: the reflected images in pictures might disclose information that you wouldn’t be willing to share, such as your location or other personal details. If you don’t want to disclose your location, eliminate reflections by choosing a better angle or simply turning off all of the lights inside the room (including the TV) before taking the picture.
Also, it’s evident that reflections are not only present in windows. While I only considered reflections in windows from different hotels, other things can reflect the surrounding environment:
       “44 Impressive Examples of Reflection Photography”
Finally, do not forget that a reflection could be your enemy.
Recommendations
Here are some other useful links:
       “How to Eliminate Reflections in Glasses in Portraits”
       “How to remove the glare and brightness in an image (Image preprocessing)”
Thanks for reading.
References:
[1] “Geolocation”
[2] “Glass – Optical Properties”
[3] “OSINT – Open Source Intelligence”