This second part of the Chromium Man-in-the-Browser series will take into consideration higher level wrappers such as SSL_Write and SSL_Read which are targeted by attackers to tamper secure SSL/TLS communications, respectively, before they get encrypted and after they get decrypted. Targeting those wrappers in favour of lower-level ones discussed in part 1 have proved to be a successful strategy for malware developers as the SSL VMT structure can change at any time, making automatic lookup ineffective. The order of the methods contained in it can change, methods can be replaced…
Read MoreCategory: reverse engineering
Man-in-the-Browser in Google Chrome: Part 1 – Locating the SSL VMT
The financial services sector has become one of the main targets of cyber-attacks worldwide with the advent of e-banking. One of the most sophisticated and effective method used to conduct fraud is the man-in-the-browser attack, which infects the web-browser and is able to change the content of web pages and tamper network traffic without the victim noticing, even with security controls in place such as SSL/TLS. To conduct such type of attacks, malware authors target specific internal browser functions which are responsible of handling network traffic and redirect the execution…
Read MoreHow to bypass Instagram SSL Pinning on Android (v78)
My goal was to take a look at the HTTP requests that Instagram was making but, after setting an HTTP proxy, I couldn’t see anything. Turns out that Instagram is protected against MITM attacks using a technique called certificate validation (SSL Pinning) which compares the certificate provided by server in the TLS handshake with a trusted one embedded in APK. This article is based on Instagram APK version 78.0.0.11.104 (x86) which you can download here. I am also using an Android 8.0 emulator with adb running as root. Disclaimer The…
Read More