Blog
Security Through Obscurity. It Doesn’t Work.
By Keith Bruce, CISSP and IT Security Compliance Analyst. Keith’s primary focus is on ISO 27001 compliance and team analytics, but also manages vulnerability, policy, penetration testing and client audit review programs, just to name a few.
Introduction
The internet offers a plethora of information about you and everyone else, whether we like it or not. Our personal information is out there if you know where and how to look for it. Everything is tracked. Everything. All we need to do is dig a little deeper to find more information that may be public, or private for that matter. Default tracking settings for mobile, smart devices or the Internet of Things (IoT) are conveniently turned on by the manufacturer or service provider and device users are none the wiser. Of course, if a data breach with your information does occur, you will likely find out when the general public is made aware, and you are typically only provided a coupon for future services and credit monitoring for a year or two. That is if they even go that far.
Security of websites and web applications found in your everyday Software as a Service (SaaS) solutions can be measured through secure Software Development LifeCycle (SDLC), code reviews and compliance to the Open Web Application Security Project (OWASP). OWASP provides free and open-source materials along with international and unbiased information, regarding the security of web applications. Therefore, the OWASP Top 10 has grown to be an industry standard that should be used as a default baseline for all internet-based applications.
I have coordinated several independent third-party web application penetration tests over the last ten plus years working in IT Security. This type of testing helps to ensure the security of externally facing, custom developed or Commercial Off The Shelf (COTS), applications are reviewed periodically and supported by a secure SDLC. Such regular testing can lead to the visibility of critical flaws in a public-facing infrastructure and allow security teams to make a more secure environment.
With all of this in mind, web applications can still be released in an insecure manner and disclose our personal information. In this article, I will share with you how easy it can be to find someone’s phone number online using a website with security flaws. The methods used are similar to a recent example that is brought to us by the Missouri government and their disclosure of social security numbers . Before I begin, please note that the research for this article was conducted over a year ago. In that time, the resources that I will reference had plenty of time to resolve their security flaws and no longer seem to disclose information using the examples provided. These resources now require some type of paywall prior to accessing the data.
Experiment
Our scenario started with a childhood friend disappearing from my life around my sophomore year of college and I wanted to reconnect. I was curious if I could take on this challenge on my own with the knowledge that I’ve gained in recent years. It appeared that my friend was not on ANY social media and may have moved far away from our extremely small hometown. Join me on my journey to making a reconnection and catching up from the time lost by using some website know-how, free tools and a smidge of effort.
As previously mentioned, everything is tracked. Public records, like housing and marriage licenses, are a great start. I decided to use the simplest of tools, Google’s Chrome web browser. While sifting through browser results and social media, I found a few newspaper articles and similar name matches, but nothing exact to what I needed. I moved on to the “free” public information services. The websites visited for this task included whitepages.com, mylife.com, publicrecordsnow.com and instantcheckmate.com. I also checked the general security of these websites by using a free tool offered by Qualys, at ssllabs.com.
This basic website analysis would allow me to have a high-level glance into which sites were paying more attention to website security over the others. Once I searched for and found a close match, I attempted to see if the websites were using any obfuscation techniques by using the browser’s built in developer tools. To do this on a Windows OS, that’s simply done by pressing the F12 key.
In our first example, Whitepages.com provided sample search results while displaying what looks like a blurred and scrambled base64 encoded image file. Although there are plenty of resources on how to decode the image, I felt that it would take a little more time than I wanted, so I moved on. When this research was conducted, a person searching for information did not have to provide login information or provide details about themselves to obtain it. Since then, a paywall has been constructed to deter data scrapers.
Example 1
Publicrecordsnow.com also provided sample results but used asterisks to simulate masked text, as seen in example 2. After reviewing this site’s method of securing phone numbers, I found that they wanted to provide potential results while masking only four digits of the phone number with asterisks. This site seems to do a proper call to the database to determine which numbers to display and not disclose too much information in support of a pay wall. However, we already have six of ten numbers and would only need to guess the other four digits. How hard could it be to find one phone number out of 9,999?
Example 2
Mylife.com required me to provide my own personal information before disclosing any data. Remember, this exercise was to see if I could find someone by using free tools and resources and I did not want to disclose my own personal information. Congratulations to Mylife.com for restricting access to personal data and requiring an extra level of protection ahead of the other competition.
In our last example, I thought that I hit the Jackpot! Someone with malicious intent could use my findings to perform a mass exfiltration of personal data. I found Instantcheckmate.com was using an obfuscation technique to hide personal cell phone data on their site. I know right!? Hidden, but in plain sight. A script could be written to export data from this website and be used to do harm, impersonate, or just sell the numbers to scammers overseas, who want Grandma to buy gift cards. This security flaw has since been rectified and the data is now behind a paywall.
In reference to the OWASP Top 10, this service violated at least two of the ten guidelines, including A3:2017-Sensitive Data Exposure, A6:2017-Security Misconfiguration and quite possibly
A5:2017-Broken Access Control. With the proper access controls, like a paywall, attempts to gather personal data would be more difficult, just as we had seen in practice by Mylife.com.
Instantcheckmate.com only displayed four numbers in our initial results, but upon further investigation, the first six seemed to be obfuscated using a text transparency technique and made completely visible while using the browser’s developer tools.
In Example 3, the first six numbers have a visual blur assigned to them. I suspected this was done by using a Cascading Style Sheet (CSS). Using CSS allows web developers to design and deploy reusable formatting styles across many areas of a website to maintain the continuity of the site or web application while saving time during the development process. It seems the application performed a database lookup, but instead of masking the results with different characters or not displaying the numbers, like in our previous examples, a phone number is disclosed in an insecure manner.
Example 3
Digging deeper into the HTML and JavaScript behind displaying our newly found phone number, we can now use our free developer tools again. In example 4, we see the highlighted area correlate to the last four digits provided in Example 3. The developers made a conscious decision to obfuscate the first six digits of the phone number while only displaying the last four digits. Code running on the server seems to have made a call to the underlying database which presented the full number to the website. The website was coded to apply a CSS class named “B” to a span element containing the missing digits that examples 1 and 2 did not display in plain text.
Example 4
In conclusion, example 5 shows the original assumption was correct around using CSS to hide the displayed text. The developers applied a generic format to display clear text using a grey shadow which is our “blur” in example 3 and the color of the text is set to transparent.
Example 5
You can try out the same code, like I did, to see how it works at W3Schools.com (https://www.w3schools.com/css/tryit.asp?filename=trycss3_text-shadow1 ).
{
text-shadow: 0 0 10px grey; color: transparent;
letter-spacing: 1px; word-break: initial;
}
Summary
The rabbit hole didn’t go too far, nor did it have to, and our goal was achieved by using general knowledge of how websites are constructed. With very little effort, we found developers trying to hide unsecured personal data in plain sight. The F12 key and CSS were the keys to deciphering this security flaw by validating if the code used could consistently produce the same results. Application developers and their employers should be held accountable for introducing such remedial security flaws. The European Union’s General Data Protection Regulation (GDPR) has set a standard and financial liability for those that do not perform their due diligence and provide such sloppy security. There are plenty of free online resources to learn how to use more advanced techniques to secure personal data. Simply put, Security through obscurity does not work.