I Can Login Without Your Password: Data Acquisition From Web-Based Server Using Credential Attack

Hi, I’m Jaehyeok Han from South Korea. I’m going to talk about data acquisition from web based service, without password, and I used credential attack. Before presentation, I’d like to appreciate this opportunity to show our study, following contents I’ve prepared.

So first for the motivation for the detailed forensic investigation. Essentially the data was acquired from the data device, for all the data should have stored in the internal storage of these two devices, but with the growing interest of the privacy, we are commonly using the online service. So we used [it] to unload and save our files on the cloud. It means that client centric aspect is now stored on server side.

Mostly we use both an ID and a password to login for service. But in this study for the bypassing this process we use the credential attack such as cloning attack or a cookie replay attack. As a contribution of this study, first we tested 14 popular services and the measures we’ll have to acquire more user data as much as possible. 

Secondly, we discussed the security measures and features. For the credential attack, we wrote something modelled as follows.

As a first step, we collect available credentials from given data visit and then tested security measures. We found some weak points in each service after several, several trial and error. In the end, we did bypass and acquire data, as we intended.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

We tested all these services. They are categorized by cloud storage, messenger and phone as an experimental measure to be acquired on lots of files uploaded by user, and here’s her history. As a example, there are documents, pictures, chat logs, etc, etc.

In this slide about discussions, frankly speaking, I need to talk a lot while I’m just going to mention the first listed thing. Multi-factor authentication: this methodology grants access to a service only after perfectly presenting other factors, but in our results, even if MFA had the set, our effect was warped so we could have access to the target users’ data.  Others also support for security.

However, there was no problem to get data on server side. Conclusion we thought collected only from data device was one of limitation of traditional investigation. So we try to get a more model, more and more cloud native aspect and we did it, but as you know, the world is changing, thus it is necessary to identify online services’ security measures and features continuously.

Since I have only five minutes for presentation. So I presented briefly, more about because for the official paper, I couldn’t show enough material of ours, but if you were having, if you have any questions, please contact my email. Thank you for listening.

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...