At the end of March, many British media reported on the dangers of the Houseparty video conferencing application, which has gained considerable popularity recently, amid the coronavirus pandemic, and also due to widespread quarantine and the transition to remote work. A.
It was reported that Houseparty users massively complain about hacking accounts on social networks, as well as Netflix, eBay, Instagram, Snapchat and Spotify accounts. These hacks allegedly occur after installing and using Houseparty.
Then the developers of Houseparty immediately denied these publications. They explained that the application “does not collect passwords for other sites” and, therefore, no one can use it to extract credentials from other services.
As a result, the developers of the application and the Epic Games company to which it belongs reported that they are investigating what is happening and suggest that this libelous campaign could be paid by competitors in order to cause damage to Houseparty. The developers even offered a reward of one million dollars for any information about the "authors" of this fake.
Over the past time, the stated remuneration has not been paid to anyone, but new information about the insecurity of Houseparty has appeared. And if earlier statements about application problems were really extremely doubtful, now Zac Edwards, founder of Victory Medium and information security expert, has published much more plausible information about Houseparty problems.
Edwards first criticized Houseparty on twitter due to the lack of Content Security Policy headers on the password reset page, and decided to continue studying the application. Further analysis revealedMore than a dozen subdomains of thehousepartyapp.com distribute malicious PDFs. It looked like this:
Edwards told reporters for The Register that the hacker group behind these files seems to have been active for almost two decades. Hackers capture subdomains and redirect users to sites supposedly containing free video streaming, e-books, and other downloads.
“They compromise the subdomains with infected PDFs that are full of rich SEO content and exploits, because of which users are faced with malicious redirects and scam sites. The Houseparty authentication domain has also been compromised by this group, ”says the researcher.
Edwards called the hack group Pickaflick.com Crew, based on an old domain that the group had previously used for credit card fraud.
The researcher shared his findings with Epic Games engineers through the company's official bug bounty page on HackerOne. The expert says that he did not count on what he would really get paid, rather he wanted to draw the attention of the company and the IB community to this malicious campaign in order to help other organizations affected by the actions of this group. The fact is that in total, Edwards detected 8440 malicious PDF files associated with the group on various sites.
“In my opinion, all the facts are clear: an organized group specializing in credit card fraud used Epic Games subdomains to attack users. This group continues to organize attacks and has been doing this for many years, ”the expert writes in the report.
The expert’s report also provides response letters from the Epic Games security team, which denied that anyone had compromised the company's systems and infrastructure. “The listed subdomains pointed to abandoned DNS records, which, in turn, were automatically inherited by the third party that hosted the e-books,” says Epic Games. That is, old domain records that no one has deleted indicated an IP address that is no longer controlled by Houseparty.
“A third party inherited the IP address that Houseparty previously owned, the DNS record associated with this IP address was not deleted, and therefore this subdomain is still directed to the corresponding IP address,” Epic Games representatives explained to The Register.
Journalists note that at present, the developers of Houseparty seem to have sorted out the problem and set up their infrastructure properly. Regarding the statements of Edwards, company representatives spoke as follows:
“We received a message from a person who was trying to claim a reward, and carefully studied it to confirm the accuracy of the information. But this person did not provide proof of concept for this theoretical bug, which is required for all bug bounty programs. The Houseparty app is safe to use on any mobile device and is protected by strong encryption. ”