A while ago, I reached out to Mats, the creator behind the YouTube channel Topfvollgold, offering my help with data scraping. I thought it might be useful for his projects and mentioned that Iād be happy to assist if the need ever arose.
Recently, Mats reached out with an intriguing request: he needed help scraping data directly from YouTube for an interesting video idea. Naturally, I jumped at the opportunity and got straight to work.
Close to a year ago, I stumbled upon the Kekz Headphones, which seemed like an interesting approach on the whole digital audio device space. They claimed to work without any internet connection and all of the content already on the headphones itself. They are On-Ear Headphones, which work by placing a small chip (I call them “Kekz” or “Cookie”) into a little nook on the side and it plays an audio story. I was intrigued, because there were some speculations going around, how they operate with those “Kekz”-Chips.
I invite you to join me on a journey into the inner workings of those headphones. We will talk about accessing the encrypted files on the device, breaking the crypto and discovering disclosure of data from customers.
I’ve identified a security concern within the self-hosted file sharing tool ProjectSend in the current version r1605. By exploiting a chain of vulnerabilities ā including Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), and weaknesses in its change password implementation ā an authenticated attacker can force a logged-in user to unknowingly change their account password, by clicking a link.
But let me explain the attack in detail.
A couple of months ago, i asked around on Mastodon if anybody was able to provide some HDDs with hardware faults. Clicking, Buzzing, Silent. Whatever. I wanted to learn the art of Head Swapping and other shenanigans.
Two weeks later, somebody I know, answered my call into the Fediverse, with a drive i could try to get the data from it. I was delighted and scared.
Why scared, you might ask.
The first electronic device which a young child autonomously uses, is most likely an audio device to chose their own music or stories. I am in my mid 30s now and we used cassette tapes, which we were pretty much a common standard back then. Nowadays multiple different licensing methods exists. Tonies, Kekz, Jooki, Coins, you name it. Every company has their own methods and ways to store, encrypt and work with audio files.
tl;dr; My knowledge in Bluetooth LE Communication got quite rusty over time and i wanted to refresh it with an easy target the other day. I wanted to open up the lock with a simple bluetooth command but ended up having access to their entire backend database with a lot of unique users across their entire product lineup.
It didn’t go as planned.
The Lock and API As all BLE-Locks work, they require an App to talk to the Lock itself and an API on the company side.