Apr 5, 2020
HTTP MiTM on Hike Messenger allows the attacker to see group conversations, attachments
TL;DR
MiTM (man-in-the-middle) attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.
The goal of an attack is to steal personal information, such as login credentials, account details, and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.
Let’s understand MiTM attack better with an example:
The hacker is impersonating both sides of the conversation to gain access to funds. This example holds true for a conversation with a client and server as well as person-to-person conversations. In the example above, the attacker intercepts a public key and with that can transpose his own credentials to trick the people on either end into believing they are talking to one another securely.
MiTM attack execution has two distinct phases
- Interception
- Decryption
Interception Phase
The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.
The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility of any online data exchange.
Attackers wishing to take a more active approach to interception may launch one of the following attacks:
- IP Spoofing
- ARP Spoofing
- DNS Spoofing
Decryption Phase
After an interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. Methods to achieve them are:
- HTTPS Spoofing
- SSL Beast
- SSL Hijacking
- SSL Stripping
Now let’s get into the detailed write-up on HTTP MiTM attack on Hike messenger
Here is the story, back in 2016 I was in my B.Tech Undergraduate at VIT University. There we have a common WiFi network (open network) where users have to log in to captive portals to use the internet and each user is given 10 GB of data for 30 days. As it’s an open network and 10 GB is insufficient for 30 days.
So I started sniffing the network traffic to find captive portal credentials of some other users in the network and found a bunch of user credentials. I did some reconnaissance on captive portal users that I found in the network traffic. I was able to login to their social media accounts with their passwords which they have used for login into captive portals which is very bad. As we know that it is not recommended to use the same password for more than one account.
And I keep sniffing the network traffic for around one hour there I found some interesting about Hike messenger, I was able to see Hike messenger group details like the list of users and their contact information and I was able to see the conversations in plain text and able to download the attachments that user sends to another user in the Hike messenger.
As we can see that hike API (api.im.hike.in) uses HTTP requests instead of HTTPS. There is no SSL implementation in the hike messenger API and we all know that HTTP protocols are not encrypted and it is vulnerable to MiTM attacks.
The tool I have used for MiTM attack is Bettercap. Bettercap is the Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet network reconnaissance and MITM attacks.
Use the following command to sniff the network traffic and all the POST requests.
Here is the sample verbose of the results after the execution of the command.
There are many other open-source MiTM tools available. I love bettercap tool because it has everything that I need. To have a better understanding of how MiTM works I suggest ettercap tool for learning. Ettercap is the best way to get started with MiTM attacks.
MiTM prevention
Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.
- Avoiding WiFi connections that aren’t password protected.
- Paying attention to browser notifications reporting a website as being unsecured.
- Immediately logging out of a secure application when it’s not in use.
- Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.
