Escape Security Flaws

So, hello, my name is Hendrik. And before I start, I need to disappoint you just a little bit because I won't talk about React today. And even worse, I want to talk about web security. So I hope you can enjoy my talk.

So I want to tell a story or share a story with you where I accidentally, and I promise accidentally got access to some pretty spicy content of like photos where people showed off posts with sex toys or even consumed alcohol. So what has happened? Well, back in October 2022, I visited an escape room with some friends. And so after the experience, the staff member came to us and did a group photo.

So in our case, it was just a boring group photo. And so after that, they gave us a little piece of paper that looked like that. And so on the piece of paper, there was our randomly generated code as well as the date of the experience, right? So the experience was super handy. So you would just go on the website, enter your code and boom, you can find the photos you can easily access and loan them and share with your friends. So great user experience. What could possibly go wrong here?

Well, it's like maybe similar to the cat, right? So imagine you have a room and you want to protect the room. So the solution is, well, you just close the door and your room is safe, right? Until the cat understands how to use the door handle. So coming back to my story, basically, I was the cat and I was playing around with the door handle and see how it works. So it turns out, actually, they used a pretty weak code to protect the photos, right? So it was a five digit numeric code, meaning we had only 90,000 possible codes per day. And I'm pretty sure every one of you could easily write a script to generate codes. And so the only thing you have to do is you just write another script and submitting the form over and over and over again, and just hoping you would find an actual code. Yeah, maybe that's what I did. And it turns out it works. And so just as a quick comparison, you can see it here on the table. If you would just use a six digit numeric code, you would already increase the complexity to 900,000 codes. And for me, it's always like, think about it. If you would sit in our product design meeting, at some point you have to decide, okay, what kind of code are we going to use? And they chose a five digit numeric one. Just imagine they would have chosen the six digit or even included alphanumeric, they would have increased the complexity quite a lot.

So even if you have like the strongest code on earth, if you give me enough compute, probably money and time, I could still try my best to find random codes. So another mechanism we need in place is throttling. So throttling means if you get a lot of traffic coming from the same IP address, you probably at some point want to limit the traffic or block the IP address completely. And that's a pretty strong mechanism to prevent attacks. And so guess what? They didn't implement any throttling.

So basically, that means there was no door, there was no door handle, basically the room was open and I could just break in without any problems. Well, it was aboard me on a Sunday and I realized, oh, hell, it's actually serious here. And also I mentioned that I found some spicy content because, that's because they also have a so-called party escape room experience where you can have some intimate private moments with your friends. And basically with the rest of the world, right? So I was like, okay, I need to share my findings somehow with the company. And so that's what I did. And a couple of weeks later, they reacted. And so at least they implemented throttling and also blocked access to all the photos. So they improved the security a little bit. Still, I would still suggest to implement stronger code, but at least it's now harder to attack the service because now the traffic would need to come from different IP addresses. And also you can only get access to the photos from the last 14 days, 7 days, I don't know the exact number. So they definitely improved it.