The Robservatory

Robservations on everything…

 

Someone intercepted my login info in DirecTV’s iPhone app

This morning, I launched the DirecTV app on my iPhone (connected to my home network via wifi).

On launch, I saw a login screen that looked slightly different than usual; the app had been updated recently, so I assumed it was the new login screen. But when I entered my user name and password (on the first attempt), I saw the screen to the right…

At this point, alarm bells went off. Not just because it was my first attempted login, but also due to the grammar of that last sentence:

“Please, contact AT&T operator.”

That’s wrong in many ways—and there’s no provided method for contacting an AT&T operator. I now believed I had been scammed: Somehow, a fake login page was injected where the app would normally display its login screen. As soon as I pressed Enter after entering my password, I’m sure my username and password were sent off to some server somewhere.

I immediately opened the DirecTV web site on my Mac, logged in (using my supposedly-locked account and current password), and changed my password. That all worked, and I received the email stating I’d changed my password, so I’m pretty sure my account is fine. (And I use unique passwords for each service, so the one that was probably compromised is useless to the hackers.)

But the bigger question here is what happened and how did it happen?

After I changed my password, I returned to the iOS device and tapped OK. I then saw the normal DirecTV login screen, as seen at right, furthering my feelings that the original screen was a scam. I logged in with my newly-changed password, and the app worked as normal.

Although my account seems to be safe now, I’m stumped as to how this happened: I wasn’t visiting a web site, I was using an app. How could someone interject a screen into the app itself?

I thought about DNS injection as a possibility, but my phone is using CloudFlare’s DNS (1.1.1.1 and 1.0.0.1), with Google (8.8.8.8) for DNS providers; I find it unlikely to think they’ve been compromised. Unfortunately, I don’t have any idea what URLs the login screen may be trying to reach, nor do I have an easy way to capture and analyze that data.

But if it’s not DNS injection, then what could it be? Could someone have, somehow, modified the actual binary? If so, I’d think I’d see the dummy page on every login attempt, but I don’t—I only saw it that one time. I’ve tried to get it show up again, going so far as logging out of the app, force quitting the app, shutting down the phone, and logging in again. But no joy: I just get the usual login screen.

My other thought is that someone must have modified something at the AT&T end to cause a page to load that’s not the one the app is expecting to load…but that sounds nearly as low-chance as Cloudflare having been poisoned.

There is one remaining oddity with the DirecTV app: It takes a long time to load, and partially through loading, it switches to a full-black screen with a simple spinning progress indicator in the middle:

All in all, this is very strange, and I’d love to figure out what happened. If anyone has any ideas or people I could contact, please let me know.

5 Comments

Add a Comment
  1. Very bizarre! What happens if you delete the app & re-download it? In other words, give the ‘bad behavior’ one more chance to crop up again by wiping the slate clean, so to speak? Then again – this weird delay seems pretty suspicious on its own. I’d say try to get some utility up & running on your system such that, you can see all packets flowing to & from the iPhone. Perhaps plug in your Mac via ethernet, then do Internet sharing, then connect iPhone to Mac’s WiFi network – then use Little Snitch to see what attempts are going to what URLs / IP addresses. I remember the old utility IPNetMonitor, but a quick search suggests it’s pretty outdated as of now, and also only monitors connections from a given Mac. I seem to remember some other tool which monitors all connections to & from a given network, but probably that’s because I was using an old Mac running IPNM as my router (once upon a time). So… yeah, Internet Sharing & Little Snitch is possibly your best bet..

    1. I also just tried deleting and reinstalling the app, but still only got the “normal” login screen.

      -rob.

    2. My router (pfsense) has a built-in packet capture tool, so I was able to see where it’s going … and best as I can tell (at least when it’s not showing the bad login screen), it’s all legit. They do use AWS, though, so I wonder if one of their server instances got compromised somehow.

      -rob.

  2. Try Charles Proxy. It will let you watch the traffic an app sends by setting up a vpn that begins and ends on the device. It can also man-in-the-middle SSL connections so you can see the plain text.

    https://itunes.apple.com/us/app/charles-proxy/id1134218562?mt=8

    About $8 IIRC, but the app store won’t tell me because I already have it. There are a number of tutorials for using it on iOS (desktop versions are also available, but are $50 up.)

    A lot of apps are basically dedicated web portals, so a server compromise is a good bet.

    1. I used my router, which can capture packets to/from a specific IP address. Unfortunately, as I couldn’t get the hacked login page to show again, all the IP addresses checked out.

      -rob.

Leave a Reply

The Robservatory © 2018 • Privacy Policy Built from the Frontier theme