How I participated in the bug bounty from Xiaomi and what was it for me

    “We have a security hole.”
    “Well, at least something is safe with us.”


    - iPhones, every year, they break it, and nothing.

    I found this error by accident. I am sure that not a single tester would have thought of going this way - it is so not obvious, wild and unpredictable that only by chance helped me participate in Xiaomi's bug bounty. In this post I’ll talk about how I did it, what it was for and why Chinese services are evil.


    Background


    In the MIUI OS, you can create two "spaces" (for simplicity, I will call them profiles) - a completely independent set of settings, applications and files that are inaccessible from each other (not counting the separate "Import" application). Both profiles can be password protected and, for example, use the device with someone else.

    What, in fact, is kneading?


    The kneading is that I found a way to switch from the second profile to the first without entering a password. This was possible through the Google Drive application, which is installed by default in the global firmware on MIUI 8 and is immediately available in the second profile.

    The second profile has less rights than the first - in it, for example, you can’t enable or disable mobile Internet or manage backups in Google Drive. If you try to do this, the application offers to go to the "Manage Users" system dialog and select the user on behalf of whom the action is performed.

    But something went wrong, and the choice of the main profile in this window did not lead to backup management, but to the transition to it without entering a password.

    Doubtful analytics # 1


    In principle, it's okay. To exploit the vulnerability, you must at least know one of the passwords and have physical access to the phone. But even within a limited team, gaining access to the data stored in the second profile can be extremely unpleasant.

    On the other hand, I did not have time to really investigate the principle of the appearance of the "Manage Users" screen. There are probably system methods for calling it from other applications, but I haven’t gone that far.

    How to live with it?


    At first I thought of declaring it as a bug of a Google application (I heard that they sometimes give money for it). But common sense still suggested that a security hole in OSes could be priced more expensive (and you need to fix it faster), and I went looking for a program for a bug bounty from Xiaomi.

    A short search led me to the Xiaomi Security Center . It’s now at least 30 percent added an English translation, and then it looked something like this:


    Xiaomi Security Center, sec.xiaomi.com

    With a Google translator, I read some general things about the program and realized that the vulnerability found pulled by high category- it includes SQL injections, vulnerabilities in business logic, XSS with cookie access, obtaining information about device users, escalating privileges, bypassing login screens and a few other things. “Okay,” I thought, using the poke method I found the form and went to describe the problem.


    Vulnerability

    submission form Google Chrome built-in translator is good exactly up to the moment when it comes to dynamically generated drop-down lists. If the title, description, proof-of-concept and solution fields were somehow understandable, then what I wanted from the lists, I did not understand at all. I had to pick out the hieroglyphs from the right places on the page by viewing the HTML code and translating manually.


    Thank you, now everything is clear

    It turned out that the first list determined the type of vulnerability, the second specified it, and in the third it was necessary to choose the scale of the problem - from low to major.

    Naturally, I wrote that the problem is extremely important and let me rather endure the money already; I have no strength; I’m such a fine fellow . To confirm my intentions, I recorded a five-minute video, where in broken English I told how to exploit the vulnerability and easily access personal data. He sent information about the vulnerability and how to fix it (April 6th) and waited.

    How long did it take?


    On April 11, right at the Security Center, I received a message from an unnamed Xiaomi employee.
    It was like this:
    > Thanks for your submission, this is not miui's issue so this got minor and no reward.Thanks for your support.
    > Thank you for submitting, this is not a miui problem, it is marked insignificant and will be left without a reward. Thanks for the support.

    “But how so? But this! The same! Hole! The size! FROM! Kimberlite! Handset! In Yakutia! ”- something like that I was indignant over the next four hours, and then I calmed down and wrote a reply message. Here is this:

    > Miui allows to view "manage users" screen and switch account without pass. anyway, do you have plan to fix this issue?
    >In MIUI, you can access the "User Management" screen and switch between accounts without a password. Anyway, do you plan to fix the problem?

    I was mentally prepared to wait another five days (since I was still left without a reward), but the answer came an hour later:

    > sorry, my mistake, I will test again
    > Sorry, to blame. I’ll check again.

    Doubtful analytics # 2


    Due to the “error” of the operator, the hole could be closed after approximately infinity. I don’t know how this works in other vulnerability search programs, but this approach in Xiaomi clearly sets up depressing thoughts.

    Nevertheless, the error was corrected already two weeks after the test - in a fresh update of the system such a trick was no longer repeated. For the same reason, I am writing this post now.



    Fortunately, the testing did not take much time and the next day I received a reward of 1000 (thousand) coins in the store inside the Security Center.

    What else is the store ?


    On sec.xiaomi.com there is a catalog of things that can be bought for the internal-security-winning currency (sorry, I just didn’t come up with an easier explanation).


    Don’t refuse anything to yourself for a thousand prize coins.

    Realizing that you won’t be able to select anything from the goods, I began to study another interesting option - you could “buy” yuan for coins, at the rate of 1 yuan for 1.5 coins. A quick calculation showed that my thousand coins famously turned into about 5,200 rubles (at the rate at the time of writing), and it looked like a very good reward for pressing a couple of buttons in questionable places in the system.

    Of course, I filled a basket with RMB for 900 coins (quantization of 150 each).
    Of course, I clicked on the Chinese version of the inscription "Checkout".
    And, of course, I immediately faced a bunch of problems.

    Here would be a screenshot of the form if I hadn’t lost it.

    They demanded from me the name, bank card number and CVV ID number.


    The Chinese name entry form

    Neither the name nor the number of the Russian passport was suitable - the Chinese ID number contains from 12 to 16 characters, and only 2 to 6 were assigned to the name.
    But after the award I didn’t want to miss the award, and I decided to write a letter to tech support and find out how foreigners withdraw money (which, judging by the nicknames of vulnerability catchers, were many). Okay, with the translator we’re looking for the right section, go ...


    ... damn.

    Okay, I had to choose the goods. A smart lamp , a smart 360-degree camera fit into a thousand coinsand bluetooth speaker . Together they cost about 7200 rubles (or 124 dollars).

    The remaining three dozen coins I lost in the “wheel of fortune” on the same site.

    The benefit of the design is simpler, and I just had to figure out how to put the international delivery address in a field with a limit of 100 characters , and also reduce the name to six letters - Evgeny, and write the full one in Notes.

    July ended.

    How long should I wait?


    After filling out the form in your account, nothing has changed. On the first of August, he decided to clarify what was there with the delivery, and wrote a message in the same dialogue where he reported the vulnerability. Nothing happened.

    On August 25th, I made another attempt, and five days later I received an answer with the package track and an apology.

    Delivery took another week, and I finally received a parcel with a reward for a bounty bug in Xiaomi. It's nice that the courier from EMS delivered her to the door and did not have to go anywhere. Happy end.

    In the comments, I am ready to answer your questions about any stages of this time-consuming process.

    Thanks for attention!

    Also popular now: