Skip to content
This repository has been archived by the owner on Jun 27, 2023. It is now read-only.

Post upload fails #8

Closed
benonymity opened this issue Oct 13, 2022 · 11 comments
Closed

Post upload fails #8

benonymity opened this issue Oct 13, 2022 · 11 comments

Comments

@benonymity
Copy link
Contributor

The upload function in Picture.py always fails with error 403, saying Permission Denied. I've tried a bunch of different phrasing for the Firebase authentication header with no success. Any ideas?

@benonymity
Copy link
Contributor Author

Further developments; I made some changes I'll open to a PR to get images to upload, but now I get a message saying {'error': 'Forbidden', 'statusCode': 403, 'message': 'Forbidden', 'errorKey': None} when trying to submit the pictures as a post. Will check some more genuine network requests and see if I can get past this too.

@benonymity benonymity changed the title Firebase photo upload fails Post upload fails Oct 13, 2022
@benonymity
Copy link
Contributor Author

I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.

@notmarek
Copy link
Owner

I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.

Try uninstalling the app, installing it again but not opening it, then turn the proxy on and open the app this seemed to work for me in the past

@ArtrenH
Copy link
Contributor

ArtrenH commented Oct 20, 2022

Which device are you working on? I have the same TLS issue with mitmproxy and IOS 16 (requests for other photos come through but everything else fails)

@ArtrenH
Copy link
Contributor

ArtrenH commented Oct 20, 2022

Update: I managed to get it working, I changed
res = self.client.post(f"{self.api_url}/content/post", data=json_data)
to
res = self.client.post(f"{self.api_url}/content/post", json=json_data, headers={"authorization": self.token})

@benonymity
Copy link
Contributor Author

Awesome! Well spotted. Out of curiosity, how did you manage to crack the SSL issue? I was using the Objection framework to try to disable SSL pinning, but ran into some permission errors. I also uninstalled BeReal, installed and opened it under mitmproxy, but still ran into TLS errors, likely something to do with user-agents being associated with certificates.

@notmarek
Copy link
Owner

Seems to be fixed by #10

@ArtrenH
Copy link
Contributor

ArtrenH commented Oct 21, 2022

I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours)
A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark.
That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic
If BeReal changes the API someday, we could use that to figure out how to send something again.

@notmarek
Copy link
Owner

I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours)

A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark.

That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic

If BeReal changes the API someday, we could use that to figure out how to send something again.

A modified Android APK should be much easier to capture indeed (works with mitmproxy etc. too), the android app is also much less obfuscated from what I could see last time i decompiled it so you could probably extract some of the API info just by static analysis, or write a few Frida scripts and log the traffic before it even leaves the device (!) no need to decrypt traffic with your own TLS cert when you intercept it before it even leaves your device (same with the response). I am however going to leave this to all of you, as i don't have the time required. But it's a lot of fun I promise 🙂

@benonymity
Copy link
Contributor Author

Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out

@notmarek
Copy link
Owner

Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out

Bodies data and json are all the same what matters is the content type !😄

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants