Monday, May 12, 2014

Where did my license go?

Customers, we'll never predict what kind of weird stuff they do with their computers.
On September, 2012 (yes, this time I have a date record), a customer called us to help him with a software that I didn't knew.
It was Meteonorm, by Meteotest (Swiss company).
Mr. X, my customer, whose name won't be revealed, told me that they've bought a new computer and needed to transfer Meteonorm to the new machine.
He also showed us a valid license. So if you think I was about to do something illegal, don't bother to criticize me, there is a valid license for the customers company.
First things first, installed the software and checked what it was needed. A license, of course.
However, he couldn't find the file/serial in time, and there was a urgent need to use the software.
Meteonorm validates the serial against the server, so it was time to install Burp on the machine.
Inspected the JSON traffic and voilá, what the hell, is this so simple?!
Let me see the traffic again (when trying to apply the serial) and observe the server response:
{ isValid: false } (field name may be different, I don't really remember all) Really?!?!?!?
So, set this to "true" using BurpSuite and say goodbye to our customer. It's working, pay :)

This is a good thing that my company has, we are allowed to use this kind of knowledge to help the customers. Is it ethical? to hack their own licensed software? well... yes and no...
Yes, because he did have a valid document proving the acquisition of Meteonorm.
No, because he should have contacted the supplier and ask for the serial again.
This last option, would require time that we didn't have, so reversing the protocol was faster.
Customer satisfaction is always our first concern, it doesn't matter how we fix it, or how we do it behind the scenes as long as it works.

No comments:

Post a Comment