Wednesday

Test automation goes rogue - Bad Boys of Quality

Test automation tools are much like the hunting gun. You have real uses for it, but you can use it to do nasty things. This blog is about Skype but same kind of issues can be at any other application.
Let’s imagine that I’m evil h4x0r and I’d want to find new ways to extend my bot network. Everyone has become more and more careful with e-mail attachments so spamming is not the option anymore. Let’s take a quick look at Skype. Could we use it to automate our malware distribution? If I tried to register 1 million new user from web page, I’d have to give correct Captcha for each one of them. But if I do registration thru the Skype, the registration screen is shown below. No Captcha. When I registered, I also noticed there isn’t any e-mail confirmation.



If I already have small bot network, I can use those weaknesses to register plenty of Skype users. Easiest way to do that is to use automation. My proof of concept was done with AutoIT which is free test automation library. If the desktop application doesn’t have same bot-prevention systems as web application, small automation script can create new users. If you are able to create users, you are also able to do any other task. So my bot could start to call to people, start to add contacts, send files and so on. Chat could start with:”Hello. I am Jack Nicholson from Skype security contact.  We have noticed that you have major security risk which can be fixed by installing the patch which I’m going to send you.”
Skype has two major security related failures at registration thru the application:
  1. No Captcha which would have prevented automated guessing.
  2. No e-mail confirmation. Confirmation would have required exploiting the weaknesses of some free e-mail service.

Those two steps would increase the cost a lot and simple few hours bot coding wouldn’t be enough. I reported these as security issue to Skype at mid-July.
And how short the script is which creates the new user? Well… Here is my full proof of concept. It works only at my laptop and machines with same resolution and other visual settings. The attacker can make the script more generic with some work.
Run("C:\Program Files\Skype\Phone\skype.exe")
Sleep(5000)

MouseClick("left", 628, 437)
WinWaitActive("Skype™ - Luo tili")
Send("Evil Robot")
MouseClick("left", 500,501);
Sleep(500)
Send("q1w2e3")
MouseClick("left",794,496)
Sleep(500)
Send("q1w2e3");
MouseClick("left",485,549)
Sleep(500)
Send("something@kiva-mesta.net")
MouseClick("left",778,549)
Sleep(500)
Send("something@kiva-mesta.net")
Sleep(500)
MouseClick("left",1051,678)
 For more interesting articles on quality follow the link below:

Source: Test automation goes rogue - Teemu Vesala

No comments:

Post a Comment