Home > CAPEC List > CAPEC-383: Harvesting Usernames or UserIDs via Application API Event Monitoring (Version 2.9)  

CAPEC-383: Harvesting Usernames or UserIDs via Application API Event Monitoring

 
Harvesting Usernames or UserIDs via Application API Event Monitoring
Definition in a New Window Definition in a New Window
Attack Pattern ID: 383
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the attacker creating an event within the sub-application. Assume the attacker hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The attacker would then be able to spam those users within the application using an automated script.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Application Layer

Target Attack Surface Localities

Client-side

Target Attack Surface Types: Web Application

Target Functional Services

Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • Targeted software is utilizing application framework APIs

+ Typical Severity

Low

+ Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

+ References
[R.383.1] [REF-25] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015