Sometimes, we screw up and do things the wrong way.

How it works

We comb GitHub to find repositories which contain what we think are secret keys, and email the owners of the repository notifying them of the potential mistake.

We have a git hook that runs prior to committing which checks your indexed files for secret keys that should not be committed.

We constructed a man-in-the-middle attack on the mobile game Trivia Crack, exposing all correct answers during a game. We expose this information to both a web application and a pebble app.

Challenges we ran into

Ran into a little bit of confusion with Flask, where silent failures were causing bad behavior.

Accomplishments that we're proud of

All four hacks work.

What we learned

A ton of apps are vulnerable to mitm attacks, as they expose data in plain text. SSL doesn't protect your API from reverse-engineering. Certificate-pinning can be used to mitm attacks. Client trusting leads to a lot of possible trickery.

What's next for CrackHacks

More cracking, more hacking.

Share this project: