About a week ago, TechCrunch discussed a panorama application for Android. The application is called 360 and it was created by Vineet Devaiah‘s company TeliportMe. It’s received praise from some other reputable sources as well and has even managed to attract about 30,000 users; but as will become more apparent over time I love to dig into the security of these sorts of apps. Unfortunately for TeliportMe, their web security is not up to snuff.

Warning

I will warn you one more time! DANGER! DANGER! DANGER! Proceed with reading this article and/or partaking in any action on TeliportMe’s 360 website or mobile application with extreme caution and at your own risk. I highly recommend that you DO NOT visit TeliportMe’s 360 website or PhotoTour.in directly. By the time you read this someone else may have already used this information to exploit the site and/or its visitors. YOU HAVE BEEN WARNED!

The 360 Exploits

There are various ways you can go about exploiting this application. I’ll discuss a few of the information disclosures, how to modify any photo’s name, and a few ways to use XSS.

Information Disclosures

360 as well as PhotoTour.in both use a REST API to pass data around internally via XML. This is an excellent way to build a reusable system and makes it very easy to build new applications as your company grows (great job devs!). Where they went wrong is in securing this system, because guess what!? That’s right! IT’S PUBLIC! Below are some cool links you can use to query their API.

Recent Photo Stream

This is the recent photo stream. You can also use a few variables to limit your query. Nothing special here outside of maybe the addresses and geographical coordinates. Most of this is available via the website anyway.

http://360.vtcreator.com/api/stream/

http://360.vtcreator.com/api/stream/index?count=10&type=upload

User Data

This is how to obtain information about a user. Luckily this doesn’t contain any really sensitive information, but it does make it easy to tell who is signed up on the site, how many people are signed up, and you can potentially grab some users’ email and Facebook info. Below is the link to one of the CEO’s accounts. You can of course change the 5 to any number you want to try other accounts.

http://360.vtcreator.com/api/users/5

Photo Data

You can also obtain photo data. Nothing special here really outside of more geographical info and vote info. Looks like they were considering implementing a dislike feature.

http://360.vtcreator.com/api/environments/3117

More Fun

There are lots of other fun things you can do like getting the photo comments or posting new comments. I won’t go into all the details, but below is a link to get photo comments.

http://360.vtcreator.com/api/threads/phototour_environment_2515

Editing Any Photo’s Info

From the website

The good thing about this exploit is it’s not public; you do have to be logged into the site. The bad part is when I say edit any photo I literally mean ANY photo on ANYONE’S account. Of course the photo then becomes associated with your account, but obviously a malicious user could just use a proxy if he wanted to protect his identity and then go around modifying user photos. Below is a link to edit one of Vineet’s photos, but of course you can change the photo id from 3117 to anything you want.

http://360.vtcreator.com/profile/editphoto/id/3117

Using Your Own Form

If you want to get really crafty you can build an HTML form yourself and just post data to http://360.vtcreator.com/profile/upload. Then you can edit a few more details like the photo location. I won’t go into those details here.

Liking (Voting for) Any Photo As Any User

This is another exploit that will allow you to impersonate any user and vote for any photo. By impersonating different users you can spam votes for one photo to get it to the top of the “Top Rated” list on the 360 website. This one requires making an HTTP POST request, so you could copy and paste the below into a file called 360_voter.html and then use it to submit false votes. You can change 3117 to any photo ID and 5 to any user ID to vote for that photo as that user.

<html>
<body>
<form method="post" action="http://360.vtcreator.com/api/environments/3117/votes/">
<input name="user_id" type="text" value="5" /><br />
<input name="environment_id" type="text" value="3117" /><br />
<input type="hidden" name="value" value="1" /><br />
<input type="submit" name="submit" value="Vote" class="submit-button"/>
</form>
</body>
</html>

Cross Site Scripting (XSS)

Photo Names

And of course, the ever prevalent XSS exploits. There are a couple on the 360 site and even more on PhotoTour.in, but I’ll only discuss the 360 site in this post. The first is that when editing any user’s photos you can inject JavaScript into the Photo name.

Photo Comments

Secondly, when viewing photos you can add comments which can also contain injected JavaScript. You could use this to target specific users by injecting JavaScript into all of their photos; something that steals their cookie would do nicely, unlike the harmless alert below.

Hijacking the Homepage

With this information you could easily hijack the homepage to redirect users somewhere else.

• Upload a photo
• Rename the photo to add JavaScript that redirects users to another website
• Spam votes using the vote exploit to get the photo to the top of the list of “Top Rated” photos which is displayed as the homepage

Of course the site you redirect to could easily be a drive-by install site that installs malware on the users’ PCs or pretty much anything you wanted. Scary!

Things to Ponder

SQL Injection

With all the things I see on this site it certainly appears that one could do more devious deeds. I wouldn’t be surprised to see some SQL injection, but I didn’t attempt to exploit it myself.

Account Deletion

360 uses HTTP POSTs to delete things. Generally you just POST something like method=delete&user_id=1&access_token=123abc to one of the API URLs. I suspect a crafty user could bypass this simple access_token check. Below is an example URL; that URL would delete the photo if it were a POST request instead of a GET and if it had a valid access_token and user_id:

http://360.vtcreator.com/api/environments/3117?method=delete&user_id=1&access_token=123abc

Lessons Learned

• New websites can easily become playgrounds for malicious users
• Where there’s one exploit, there’s another
• Multiple exploits can allow a crafty attacker to perform even worse attacks (like hijacking your homepage)

The features available for iPhone match those available for Android devices and include the group messaging Huddle capability. For a closer look at what the mobile app can do, take a look at the video below.

If you don’t need any tips or tricks, why not visit Awesome Blog is Awesome to read some Google Plus Comics!

Google+ Cheat Sheet

There’s some real goodies in here, like how to get bold and italicized text. Thanks to Simon Laustsen for putting this one together.

How to Migrate your Facebook Pictures to Google+

Facebook is playing games and making it more and more difficult to obtain your own content such as pictures and contacts. This, of course, makes it hard to migrate to Google+. Pick&Zip can help you obtain a copy of all your photos so you can put them on Google+!

G+ extensions for Google Chrome

PlusHacker.com has a good article covering some Chrome extensions that are making Google Plus even better! Below are some of my personal favorites!

Notification Count for Google Plus™

With Notification Count you’ll always know how many notifications are waiting for you on Google Plus!

+Photo Zoom

With +Photo Zoom you can enlarge photos on Google Plus straight from your Stream!

Finding People on Google Plus

Finding People on Plus

If you’re having trouble finding people on Google Plus, don’t worry! With the help of Finding People On Plus you can find nearly anyone you want with ease (even me)!

Social Statistics

You can also try Social Statistics for more Google+ stats!

Free Icons and Buttons

If you’re a blogger, you’re probably in need of a few new social media buttons on your website. I’ve posted a few of my favorites below, but there are lots more at Ginva! Click the picture to go to the author’s website for download!

Tony Gines: Follow me on G+

Tony Gines made this one. Visit his site for the PSD if you’d like to edit it yourself!

Sean McCabe: G+ & +

From Sean McCabe at Bold Perspective.

Matt Hodder: +

From Matt Hodder, licensed under the GPL v3.

Neil Judges: g+ / +

These were made by Neil Judges over at SerifTuts.