backtop


Print 22 comment(s) - last by Piiman.. on Dec 29 at 2:41 PM

Microsoft is not going to be happy about this

Justin Angel, an engineer working on Finnish phonemaker Nokia Oyj.'s (HEX:NOK1V) Windows Phone team, has made the curious decision of going public with details of security flaws in partner Microsoft Corp.'s (MSFT) Windows 8, which allow users to pirate games.

Windows 8 users can grab games via Windows Store.  Paid titles typically come with a "Trial" option, which allow users to play a level or two of the game, before being prompted to purchase the title if they want to keep playing.  The trial process is controlled by a Microsoft API.

But Mr. Angel reveals a fatal flaw in the scheme: Microsoft stores the key/hash in plaintext and the algorithm to encrypt/decrypt the data next to the app itself.  In other words, while not for the novice, power users can write small programs to decrypt the program's permissions, write new permissions to make the game look legitimately purchased, and then re-encrypt the permissions.

By exploit the flaws users cannot only get games for free, but they can rid themselves of ads, albeit in a somewhat unethical manner.

But Mr. Angel does not stop there.  He also shows off more security flaws, showing how JavaScript injection attacks can be used to gain access (for free) to in-app purchases.  As an example he uses such an attack to unlock purchasable levels in the popular game Cut The Rope.

Windows Store
Microsoft Windows Store apps are vulnerable to piracy due to poor security implementation. [Image Source: ZDNet]

The flaws are a big deal as they could rob developers of essentially every way to monetize their content on Windows Store. Microsoft has not yet responded on these issues.

Mr. Angel's page has been overloaded with traffic (or maybe yanked after Nokia brass realized what he posted) and is now down.  However, a cached version is available here.  Just remember, readers, every time you pirate a game another kitten dies.

On his Twitter account, responding to criticism about the post he writes, "These are fundamental flaws in the app platform, not individual apps. No secure storage, no wrote protection, etc....  Offline activation & execution mandate secure local storage. That's how apps differ from fully connected web pages."

The issues echo those of Apple, Inc. (AAPL) who experienced rampant piracy in the early days of the Mac App Store, due to poor rights management implementation.  The take-home message is that it's a lot harder to manage apps on a personal computer, where users have full access to the files, versus on a smartphone, where user access to the file system is limited.

Source: Justin Angel [Google Cache]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Question of ethics
By Ammohunt on 12/11/2012 1:41:36 PM , Rating: 2
I would like to understand his motivation for publishing something like this rather then contacting Microsoft first or at least give them some lead time to correct the issue. Sounds actionable; not very smart since Nokia will bear the brunt of any litigation.




RE: Question of ethics
By kleinma on 12/11/2012 2:27:06 PM , Rating: 2
He was probably a symbian loving engineer who was pissed he had to be working on Windows Phone OS instead. Maybe now he can spend his unemployed time working on the open source implementation.


RE: Question of ethics
By RufusM on 12/11/2012 2:42:43 PM , Rating: 1
While being "escorted" out by security he said:

F-ck you Nokia!! (in Finnish)

and

Stop kicking me!! (in Finnish)


RE: Question of ethics
By DaveLessnau on 12/11/2012 5:46:23 PM , Rating: 2
quote:
F-ck you Nokia!! (in Finnish) and Stop kicking me!! (in Finnish)


It just amazes me what we can find on the internet. For instance, according to:

http://en.wikipedia.org/wiki/Finnish_profanity

The first would be:
quote:
haista vittu


and the second, via:

http://www.translation-guide.com/free_online_trans...

would be:
quote:
seis potkaista we


RE: Question of ethics
By brucek2 on 12/11/2012 2:31:12 PM , Rating: 5
We don't know that he didn't contact Microsoft, or that he wasn't told that this issue wasn't important and that it'd be fixed when and if ever they ever got around to it. If that was what happened, it would hardly be the first time.

So one possible motivation is a desire to bring transparency to a serious issue in order to get it addressed in a timely manner, which now it most likely will be.

Even if the fix will take some time, he might have felt the developer community deserved to know about this condition in the meantime.

I'm not saying any of this makes him right, or smart; I'm just responding to your request to understand his motivation. Of course I have no idea what is in his particular head but these have been factors in previous similar circumstances.


RE: Question of ethics
By othercents on 12/11/2012 2:43:28 PM , Rating: 4
quote:
I'm not saying any of this makes him right, or smart;

Smart would be hiding your identity and leaking the information to press or websites that won't publish your name. What he did was a blatant "please kick here" sign he put on his own back.


RE: Question of ethics
By B3an on 12/11/2012 4:45:40 PM , Rating: 2
It's been possible to crack games from the Windows Store since before the release of Win 8. The method and software he used to do it has been available for ages. MS are fully aware of it. He's possibly showing it in order to get press attention, which could finally get MS to do something about it.

If MS don't fix the issue, it's not because they cant (it would be easy to fix) it's because they don't want to.


RE: Question of ethics
By maugrimtr on 12/13/2012 6:54:39 AM , Rating: 2
Stupid is as stupid does. He could have leaked it anonymously. There are dozens of hacker mailing lists where vulnerabilities can be quickly distributed and publicised to programmers. Note: I didn't say he "should have". His employment contract probably stipulates what happens in scenarios like this where an employee acts contrary to Nokia's interests. This likely applies whether or not the vulnerabilities were already public knowledge.


RE: Question of ethics
By Old_Fogie_Late_Bloomer on 12/11/2012 2:55:31 PM , Rating: 3
quote:
Microsoft stores the key/hash in plaintext and the algorithm to encrypt/decrypt the data next to the app itself.

This is not esoteric stuff, here. There's no way that people at Microsoft could not have known that there is a problem with this system. If he had found some tricky backdoor involving a memory overflow that only occurs at 11:55 p.m. PST on the night of a blue moon, then yeah, maybe. This, though, is basically Microsoft expressing contempt about the notion of security altogether.


RE: Question of ethics
By kaalus on 12/12/2012 5:52:11 AM , Rating: 2
I think the problem is that Microsoft is now executing so poorly that one hand does not know what the other is doing. Some departments at Microsoft probably know about the issue, but there's no way to get the information through to the other side and get this actioned. Most likely a result of corporate red tape and cover-my-ass tactics.

One more reason for Mr. Ballmer to go. He's such a liability, having all the resources in the world and failing almost every time. He'll drive what once was the biggest and most innovative company in the world into the ground.

You would agree with me if you ever tried developing on Windows Phone 7. What a sorry excuse for a developer portal their app hub was. It was so slow I suspect it was hosted on the Ballmer's grandma old laptop in the garden shed. Constant crashes and data losses. Confusing interface that would give you alarming messages after you clicked anything, and give you no way to undo. People were screaming and moaning at them to fix it for months. Nothing changed. Total silence. If I was Ballmer I would fire the guy responsible for that failure on the spot. Yet they needed 1.5 years to realize that it's broken and improve it (slightly) to its current state.

Billions of dollars and hundreds of software engineers not enough to create and host a webpage with a few forms? Only at Microsoft.


RE: Question of ethics
By Argon18 on 12/11/12, Rating: -1
RE: Question of ethics
By Piiman on 12/29/2012 2:41:55 PM , Rating: 1
"Fanboys make me LOL so hard!! "

And We're all lol hard at you ifanboy

""understand his motivation" and "why didn't he contact microsoft first?" etc. etc."

One person ask those question one OH MY GOD!!!


RE: Question of ethics
By BugblatterIII on 12/11/2012 5:49:34 PM , Rating: 2
Might be because he wasn't just exploiting bugs. I think he disagrees with some fundamentals of how the app store has been implemented and MS would be unlikely to make such big changes just because one developer told it there are issues.

This way may force MS's hand.


"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki