I Can Login Without Your Password: Data Acquisition From Web-Based Server Using Credential Attack

Hi, I’m Jaehyeok Han from South Korea. I’m going to talk about data acquisition from web based service, without password, and I used credential attack. Before presentation, I’d like to appreciate this opportunity to show our study, following contents I’ve prepared.

So first for the motivation for the detailed forensic investigation. Essentially the data was acquired from the data device, for all the data should have stored in the internal storage of these two devices, but with the growing interest of the privacy, we are commonly using the online service. So we used [it] to unload and save our files on the cloud. It means that client centric aspect is now stored on server side.

Mostly we use both an ID and a password to login for service. But in this study for the bypassing this process we use the credential attack such as cloning attack or a cookie replay attack. As a contribution of this study, first we tested 14 popular services and the measures we’ll have to acquire more user data as much as possible. 

Secondly, we discussed the security measures and features. For the credential attack, we wrote something modelled as follows.

As a first step, we collect available credentials from given data visit and then tested security measures. We found some weak points in each service after several, several trial and error. In the end, we did bypass and acquire data, as we intended.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

We tested all these services. They are categorized by cloud storage, messenger and phone as an experimental measure to be acquired on lots of files uploaded by user, and here’s her history. As a example, there are documents, pictures, chat logs, etc, etc.

In this slide about discussions, frankly speaking, I need to talk a lot while I’m just going to mention the first listed thing. Multi-factor authentication: this methodology grants access to a service only after perfectly presenting other factors, but in our results, even if MFA had the set, our effect was warped so we could have access to the target users’ data.  Others also support for security.

However, there was no problem to get data on server side. Conclusion we thought collected only from data device was one of limitation of traditional investigation. So we try to get a more model, more and more cloud native aspect and we did it, but as you know, the world is changing, thus it is necessary to identify online services’ security measures and features continuously.

Since I have only five minutes for presentation. So I presented briefly, more about because for the official paper, I couldn’t show enough material of ours, but if you were having, if you have any questions, please contact my email. Thank you for listening.

Leave a Comment

Latest Articles