Automated hacking weapon with human smarts does the business
LinkedIn has shuttered five dangerous privacy holes that could have allowed users’ phone numbers, email addresses and resumes to be downloaded, plus the deletion of all connection requests.
The flaws, since patched, were found by the first human-bot hacking hybrid, the brainchild of Bangalore security boffin Rahul Sasi.
Sasi (@fb1h2s) revealed his ambitious project dubbed Cloud-AI at the Nullcon hacking con in Goa, India, covered by The Register.
At the time he explained his intention to build a flaw-finder that can blend gut intuition with automated mechanical efficiency.
“Cloud-AI is currently a large dataset of how humans have interacted with the web,” Sasi told Vulture South. “Our team is currently training Cloud-AI to be capable of doing more complex interactions [and] will soon come up with APIs that will let individuals automate their tasks using Cloud-AI.”
Sasi and his team at CloudSek trained his machine against popular cloud applications including LinkedIn and Facebook, finding 10 dangerous insecure direct object reference vulnerabilities in the former, a bug class normally identified through manual human analysis and missed by automated scanners.
Rahul Sasi at Nullcon.
Image: Darren Pauli, The Register.
Cloud-AI also found that Linkedin’s recruiter profiles would leak email addresses of profiles shared in messages to other users.
The personal data was hidden in response when the member request identification number was swapped to the victim’s identity number.
Sasi’s machine also uncovered a flaw that would leak phone numbers, along with email addresses, for users who had applied for jobs through the site.
Another flaw allowed all connection requests on LinkedIn to be deleted through mere manipulation of a single request identification number.
Other bugs allowed Lynda video transcripts and exercise files to be downloaded without authentication or the necessary premium membership.
Sasi disclosed the bugs to LinkedIn team which fixed the critical vulnerabilities within a day of his report.
Cloud-AI, explained in this 2016 paper [PDF], is built on machine learning and natural language processing, and uses vector space models to convert word strings to numbers, naive bays machine learning classifiers, and cosine similarity to improve training.
Those techniques result in a machine that can navigate naturally around the web and identify the parts of a site that a hacker would target for the quickest returns.
In practice this requires the tool be able to follow dynamic user instructions so it understands that phrases like ‘sign me up’, ‘let’s go’ and so forth all signify account registration.
Some components of the project will be made open source, Sasi told Vulture South. ®
Sponsored: Customer Identity and Access Management