ÜberTwitter: your secret spy?

This week we were developing the new modules for evilgrade 2.0, that we will be presenting at DEFCON 18 and section BlackHat Arsenal.

We discovered ÜberTwitter (
@ubertwiter) a well-known twitter client for BlackBerry platform. During the traffic analysis we realized that this nice application each time you start it sends without warning the following data to UberTwitter's servers:
  • Personal Identification Number BlackBerry (PIN)
  • Phone Number
  • e-mail
  • Physical Location of equipment
In detail the application performs the following connections:



We have 4 connections highlighted:

1 y 2 ) Packet 183/204: It connects to Google's Geolocation API, this API allows getting the latitude and longitude information using as the cell phone towers that form the cell in which the cellphone is located.


POST /loc/json HTTP/1.1
Host: www.google.com
Connection: close
content-type: application/json
Content-Length: 338

{"host":"ubertwitter.com","address_language":"en_US","request_address":false,"carrier":"Verizon Wireless","home_mobile_country_code":18,"cell_towers":[{"mobile_country_code":18,"location_area_code":8,"signal_strength":-80,"cell_id":631,"age":0,"mobile_network_code":18}],"version":"1.1.0","radio_type":"CDMA","home_mobile_network_code":0}


HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Date: Thu, 15 Jul 2010 19:49:56 GMT
Expires: Thu, 15 Jul 2010 19:49:56 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

{"location":{"latitude":39.029105,"longitude":-77.502686,"accuracy":2801.0},"access_token":"2:YK11P_4P71Dse06Q:RC8_epQWU46gR4KG"}


In the response we can notice our position "latitude":39.029105,"longitude":-77.502686,".

3 ) Packet 245:
The application connects to server to reg3.ubbertwitter.com and sends: PIN Blackberry, cell phone number, email and twitter account.


POST /do_reg.php HTTP/1.1
Host: reg3.ubertwitter.com
Connection: close
Content-Type: application/x-www-form-urlencoded

Content-Length: 231


twitter_user=infobytesec
&product=UberTwitter_4_6&version=0.971&bb_pin=2100000a&model=9000&platformversion=&swversion=4.6.0.92&phone=15198887465&email=unknown&tweets_sent=0&gps_on=NO&carrier=Default+3G+Network&country=&in_app=606622


HTTP/1.1 200 OK

Date: Thu, 15 Jul 2010 19:50:09 GMT
Server: Apache X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding

Content-Length: 340

Connection: close

Content-Type: text/html

{"RUN":"YES","PAID":"NO","INTERVAL":10615737,"CALL_HOME_INTERVAL":1080,"LOCATION":"YES","SHOW_ADS":"YES","VERSION_MESSAGE":"You are running the latest version!","QUATTRO_SLICE":1,"RIOTWISE_SLICE":5,"MILLENNIAL_SLICE":1,"PLUSONE_SLICE":5,"BUZZCITY_SLICE":1,"NEXAGE_SLICE":1,"ADLY_SLICE":1,"IP_ADDRESS":"186.56.158.5","AD_LINGER_MINUTES":1}


4 ) Packet 254: The application server sends to storeinfo.myloc.me our latitude, longitude, information cells with Blackberry PIN number.

POST /storeinfo.php HTTP/1.1
Host: storeinfo.myloc.me
Connection: close
content-type: application/json

Content-Length: 369

[{"BBPIN":"2100000a","gpsaccuracy":0,"mcc":18,"mobile_country_code":18,"capture_time":1279309740783,"mnc":0,"latitude":39.029105,"accuracy":2801,"longitude":-77.502686,"mobile_network_code":18,"altitude":0,"location_area_code":8,"cell_id":631,"nettype":"SIM","carrier":"Verizon Wireless","gpslat":0,"altitudeaccuracy":0,"signal_strength":-80,"usegps":false,"gpslon":0}]

HTTP/1.1 200 OK

Date: Thu, 15 Jul 2010 19:50:10 GMT

Server: Apache
X-Powered-By: PHP/5.2.11
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 28

Connection:

close
{"success":true,"records":1}


Note that in the configuration you can set the publication of our location, but at the time of testing this feature was not enabled ...



We would like to know why they request our PIN, Email, Phone Number, Location?
And in any case it would not be prudent to alert the user at least?
We should ask them! (@ubertwiter)

Our Lab setup was the following:
BlackBerry JDE 4.6.0
ÜberTwitter 0.971

Regards.


6 comments

Click here for comments
July 16, 2010 at 9:12 PM ×

Muy bueno!!
Interesantisimo articulo.

Abrazo,
@maxisoler

Balas
avatar
admin
July 17, 2010 at 12:05 PM ×

I had pinged UberTwitter about a year back because by default it sets all the Blackberry App perms to enabled regardless of features turned off or on. I had suggested that they only set the app perms based on what features the user selected during setup.

The "about" page in UberTwitter (free version) reveals some interesting information as well. In addition, the advertisement response is included there. All about the Ad $ right?

Balas
avatar
admin
July 19, 2010 at 3:58 PM ×

That really sucks! Im a ubertwitter client and it was the best blackberry client for twitter that Ive tested. If you have any to recommend to me I will take it.
My experience was very disappointing coz I tryed to neglect the allowance to the access to my phone number, email and other personal information but the software came back with a message: "I wont work without these infos". lol
I ended up allowing, but not happy about it.
Anyway. Thanks for the info!
Best
@danielleom

Balas
avatar
admin
August 4, 2010 at 11:42 AM ×

We are not stealing data, this is all covered in the TOS on our web site. We use the location information to improve the accuracy of our database. We need the PIN in order to process registrations, and the phone number and email is not collected, it is always blank. Contact us if you have any questions or concerns

paul@ubertwitter.com

Balas
avatar
admin
December 10, 2015 at 5:27 AM ×

You know your projects stand out of the herd. is something special about them. It seems to me all of them are really brilliant! site

Balas
avatar
admin
August 25, 2016 at 8:30 AM ×

That takes a lot of efforts to perform.
IF you have an access to a phone you want to spy (e.g. your child etc.) you can just use this phone hacker

Balas
avatar
admin
Post a Comment
Thanks for your comment