Hi #RSAC2018. 😏 
Before anyone says "fake": rsa1-webservice.eventbase.com/v1/admin/produ… and download the returned link ("content")
That feeling when you finally dumped the attendee database but it only contains a test entry 😳Looks like RSA is not using the attendee list feature of Eventbase 🙄Let's check other authenticated APIs.
For those who want to reproduce (1/3):
- Create account @ rsaconference.com
- Login to the App
- Extract the Sync_Token from /data/data/com.rsa.rsaconference/shared_prefs/prefs.rsa2018.xml
- Open rsa1-webservice.eventbase.com/v1/attendee-li…<Sync_Token>
- Create account @ rsaconference.com
- Login to the App
- Extract the Sync_Token from /data/data/com.rsa.rsaconference/shared_prefs/prefs.rsa2018.xml
- Open rsa1-webservice.eventbase.com/v1/attendee-li…<Sync_Token>
(2/3):
- Download the encrypted sqlite db from the response value rsa1-webservice.eventbase.com/v1/attendee-li…<...> (add &token=)
- Store the response header X-Db-Info: 1:::<db-hash>
- Get <string name="attendee_db_key"> from res/values/strings.xml
- Download the encrypted sqlite db from the response value rsa1-webservice.eventbase.com/v1/attendee-li…<...> (add &token=)
- Store the response header X-Db-Info: 1:::<db-hash>
- Get <string name="attendee_db_key"> from res/values/strings.xml
(3/3):
- Get sqlcipher key via hmac(attendee_db_key, <db-hash>, sha256).hexdigest()
- Decrypt the DB as shown in the screenshot above.
Easy, right? 😁
- Get sqlcipher key via hmac(attendee_db_key, <db-hash>, sha256).hexdigest()
- Decrypt the DB as shown in the screenshot above.
Easy, right? 😁
"leads" API seems to be a dead end as well.
🤨
i'll stop now :)
Thanks to @EventbaseTech / @RSAConference for fixing the data leak so quick! That is a great response time! 👍Can confirm that the attendee data is not accessible anymore through the method I discovered.
