#ssl_pinning — Public Fediverse posts

🎯 Threat Intelligence
======================

🔍 OSINT

Executive summary: A consumer IPTV set‑top box was found to permit local ADB access after VLAN reconfiguration, and apps exhibited SSL pinning that was bypassed to reveal account flows. Account credentials followed a predictable pattern: username set to device MAC and a default password of "admin@123", creating large attack surface for account takeover and enumeration.

Technical details:
• Device platform: Android‑based set‑top box with custom ISP apps.
• Local access: sandbox bypass enabled Developer Options and USB debugging; moving the device to the customer subnet exposed ADB on the local network.
• Application analysis: APK extraction identified streaming and account management packages; SSL pinning prevented initial interception until apk‑mitm/android‑unpinner techniques were applied and modified APKs reinstalled on the device.
• Credential pattern: username = device MAC (12 hex digits), password = admin@123. MAC predictability enables enumeration across deployed devices.

Impact analysis:
• Account takeover: predictable credentials allow direct access to subscriber accounts and potentially service configuration.
• Lateral exposure: VLAN separation limited discovery; misconfiguration (wrong port) enabled local network access to the device.
• Privacy risks: viewing account details, subscription data, and session tokens when proxying traffic through BurpSuite.

Detection:
• Network indicators: ADB connections from local hosts to set‑top box IPs, unexpected HTTP(S) flows proxied via nonstandard CA certificates.
• Application indicators: presence of modified APKs, installed Burp CA on device trust store.

Mitigation:
• Eliminate predictable credentials and enforce unique, strong passwords per device.
• Require server‑side authentication checks and multi‑factor or out‑of‑band validation for account access.
• Harden provisioning: prevent USB debugging and Developer Options in production builds; ensure devices remain on isolated VLANs with strict management controls.
• Monitor for ADB and proxy anomalies and audit installer/technician procedures that require specific port wiring.

🔹 Attack Chain Analysis

• Initial Access – Local network access after device moved off IPTV VLAN.
• Recon – APK extraction and package enumeration via ADB.
• Bypass – SSL pinning bypass using apk‑mitm/android‑unpinner.
• Credential Harvesting – Capture of login request when technician authenticated while proxied.
• Account Takeover – Use predictable MAC‑based usernames with default password to access accounts.

🔹 IPTV #ADB #BurpSuite #ssl_pinning #iot_security

🔗 Source: https://infosecwriteups.com/how-i-hacked-my-isps-iptv-set-top-box-f1c6f49dab01

Как веб-специалисту начать пентест API мобильного приложения и не сломать макбук

Я активный участник программ Bug Bounty и достаточно часто смотрю не только веб-приложения, но и мобильные приложения, чтобы определить все конечные точки API сервиса и попробовать найти баг в функционале до которого не всегда просто добраться. А почему непросто? Потому что в мобильных приложениях часто встречается SSL Pinning, который не дает перехватывать трафик, а поэтому анализ API приложения становится более сложным. В этой статье я изложу: 1. Как отключить SSL Pinning и получить возможность внедряться в процессы iOS приложений. 2. Как отключить SSL Pinning и внедриться в Android приложение без наличия смартфона на одноименной ОС.

https://habr.com/ru/articles/830492/

#ssl_pinning #pentest #mobile_testing #bug_bounty