How to check if a lazy programmer has allowed malicious users (in the entire world) to install a spying Web Hook on your Business Central.
PART 1: HOW SOMEONE NASTY HIJACKS A WEB-KEY …..
PART 2: HOW A MALICIOUS USER USES IT IN A SNEAKY-SPYING WEB-HOOK
PART 1: HOW SOMEONE NASTY HIJACKS A WEBKEY …..
When you give access to Business Central to the external world (Azure Functions, Mobile Apps, Web Apps, Desktop apps) you usually give a WebKey to your external developer or to the Software House.
The WebKeys are used as credential and let third party applications to exchange data (such as customers, orders, invoices, warehouse stuffs) by using API, ODATAv4.
Let’s suppose the Business Central administrator uses a “normal” Business Central user and generates a web key on it. This usually happens because the customer refuses to pay for a license that will be used just to connect external apps.
The administrator gives this web-key to the developers. Most of programmers are very lazy (let’s say maybe almost all of them) and might just use this credentials this way:
Even worse, a very very lazy developer may insert these credentials inside application’s configuration files (values/Strings.xml or configuration JSONs in case of Windows apps).
In the nightmare scenario, the app end-user has to import a flat file or even configure by himself/herself the credentials that are given directly from the developer.
Now, when developing desktop or mobile applications, you end-up with deploying an EXE on Windows, an APK on Android, an IPA on IOS or an APP for Mac.
If the app is for the public it is then published in the markets. In case of enterprise app it is deployed to specific devices or computers usually with MDMs or direct deployment.
Let’s have a look what happens, for example, in the android app: the developer builds the app, deploys it in Google Play or directly gives the APK (maybe even compiled in debug).
It’s possibile and easy for everyone to get the original APK (as the EXE and the IPA).
Unless the developer has used obfuscation, disabled by default and commonly not enabled, with simple tools it’s possibile to easily browser the APK file for strings or configuration strings and extract all strings and resource strings, including the credentials.
apktool d YourApp.apk
aapt d xmlstrings app.apk xmlfile
Concluding, in a lot of different ways, these web-keys are in the hand of users.
You might think these web keys aren’t really dangerous .. BUT….
PART 2: HOW A MALICIOUS USER USES A WEB HEY IT TO SUBSCRIBE A WEB HOOK AND SILENTLY SPY DATA
Web Hooks are really powerful and they allow to implement amazing integrations.
Let’s have a look how easy is to implement a Spyware with web-hooks. 🙂
The credentials that have been stolen in part 1 cannot really be used with Business Central web client BUT, even worse, they can be used for ODATAv4 and API queries.
Since these credentials have the rights of the business central user, they might have unlimited and unrestricted access to all kind of tables.
Web Hooks might allow to configure an automated way to sneakily replicate customers, invoices, sales orders to an external repository.
To subscribe a web hook is quiete easy, by using Insomnia you just post a request to the Business Central by using the stolen credentials.
With this simple action every time an insert, update, delete operation happens the web hook automatically signal changes it to the subscriber. The subscriber has all the detail to get the entire record detail by using API.
HOW TO CHECK ACTIVE WEB HOOKS
The web-hook subscriptions are queryable using API exactly as all other Business Central tables.
So, just with a GET on subscriptions entity, you get the list of active subscriptions and check anytime if everything is as expected.
HOW TO AVOID THIS SCENARIO
- The Web Key mustn’t be generated on a normal user but on a specific dedicated user;
- The administrator has to configure access to specific data by configuring everything properly;
- The web key has to be encrypted inside the third party applications;
- You can create a web-hook on subscriptions entity that sends an email when something changes. You are alerted every time someone creates a new subscription 🙂
- Use Azure Key Vaults (https://azure.microsoft.com/it-it/services/key-vault/), I am going to publish an article about astonishing “Azure Key Vaults”;
Some interesting notes about KeyVault and Xamarin https://codemilltech.com/mobile-apps-azure-keyvault-dont-do-it/
26th of April 2020