Barcode Attacks

You know what a barcode is.
And at least I have thought about this a long time now.

Injections through barcodes.

So i came up with this scenario.

I believe the products of supermarkets, and loads of other stores, save their products in some kind of database.
If we then, could change that code to an inproper query, could we then be able to exploit the back-end database?

Actully, i got no clue. But in believe it would be possible, as long as they don't sanitize their database input.

So, what to do?

1. Go save this picture:
2. 
3. Print it out.
4. Get a scissor, and cut off the "-1 UNION ALL SELECT 0" field.
5. Go grab some tape!
6. Apply the barcode and the roll of tape in your pocket.
7. Go to the closest grocery store.
8. Take a bottle of Coke (or whatever fits you).
9. Apply your (mine?) barcode over the coke's, by using the tape.
10. Try to buy it.
11. ???
12. Possible profit.

If the query would look something like this:

SELECT price FROM products WHERE id=decoded_barcode

...our image would then nullify the first query, and execute the UNION SELECT one, and return it.
The result would be that the overall query returned 0.

Yes, the price would be set to 0.

All possible attack scenarios might work by this somewhat obscure technique.

...All from XSS'es, CSRF's, LFI's, RFI's...

Trippy huh?

For your enjoyment, I've set up a new sub-domain for you to play around with;
http://barcode.ackack.net/

It allows you to craft your own barcodes, like the one i made a few lines up.

Oh yeah, a little bird whispered something.
These attacks are possible in the wild, and several web-services are vulnerable through this invalid, yet valid media.

Fredrik Nordberg Almroth

Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.

10 Comments

1. 

   29/04/2010 @ 13:59

   ov3rload says:

   Hi! This is a really interesting thing! Do you have tried it yet?! I think i will do it this evening @ supermarket, there are some "self cash desk" with no operator, i think i can try 2 or 3 barcodes! =)

2. 

   29/04/2010 @ 14:34

   Fredrik Nordberg Almroth says:

   Hey! Nope, i haven't. You see, in Sweden most supermarkets use the barcode (encoding?) called EAN_13 which is 100% numeric.
   So yeah, you see the problem, I'm unable to break through a numerical code in order to inject SQL...
   But i bet eletronic, furniture, cloth and various other stores use different systems, it's just a matter of trail and error.
   Sure, you can do that, but it's rather unethical...
   Ask for permission so you don't get caught, I don't want to be responsible for your actions... Anyway, cheers!

3. 

   29/04/2010 @ 21:14

   ov3rload says:

   Uhm...i really don't know which type of barcode is use here in Italy but i can try some different type of shops. Naturally i can try to get around the problem asking to check a barcode i found out there and trying to see the result. I'll never let you be responsable for what I do! =)

   PS: could I insert your blog in my Links? And maybe write an article once i will try this stuff?

4. 

   29/04/2010 @ 22:44

   Fredrik Nordberg Almroth says:

   Hehe, you could however play around at barcode.ackack.net and see if any of the generated ones match any product you bought from the supermarket, that way you'll find out which one to use! =)
   Yeah, sure, feel free to link us, post a link to your article here if you wish! Ciao.

5. 

   30/04/2010 @ 06:51

   ov3rload says:

   Hi again! I've bad news, i think we've got the same barcode format! EAN_13 or EAN_8 (yes, it's an European standard), they are only numeric and so...no SQLi! That's a pity, it would be so much interesting to see the results in a shop! =D Btw, great article, i like so much your blog, already linked in mine. Ciao!

6. 

   30/04/2010 @ 15:47

   Fredrik Nordberg Almroth says:

   Ah, how lame, these are the times you wish to live in the states just to try it out
   Hehe, thank you! Checking yours out as well

7. 06/05/2010 @ 10:57

   Tweets that mention Barcode Attacks -- Topsy.com says:

   [...] This post was mentioned on Twitter by Francis Gilbert. Francis Gilbert said: I do wonder whether barcode attacks would work. http://bit.ly/cNqOQN nice to think it would. [...]

8. 23/05/2010 @ 18:00

   Barcode Scanner for Android App Downloads – AppJudgment | All About Android says:

   [...] Barcode Attacks [...]

9. 24/05/2010 @ 23:59

   Barcode Attacks In Action says:

   [...] course i needed some verification about my barcode-attack theorem, so i simply went out and tried to be creative. …and guess what? The first target i [...]

10. 08/08/2010 @ 01:19

    Tweets that mention Barcode Attacks -- Topsy.com says:

    [...] This post was mentioned on Twitter by Cacho LaGarza, Patricio and John Jägermeister, Fabián Figueredo. Fabián Figueredo said: SQL Injection en código de barras http://bit.ly/cJj26d [...]