Using Hinge as a Command and Control Server
4 months ago
- #android
- #ethical-hacking
- #cybersecurity
- Using Hinge as a Command & Control (C2) server is demonstrated, requiring patching the app and MITM techniques.
- Account setup on Hinge requires a phone number, with Mint Mobile 7-day trial SIMs suggested for research purposes.
- A payload is created using a Python script to encode binary data into an image, leveraging Hinge's photo upload feature.
- Hinge's photos and user data are publicly accessible via its undocumented API, allowing retrieval of user IDs and content.
- The post details steps to patch the Hinge app to bypass certificate pinning, enabling MITM attacks on non-rooted Android devices.
- A network security config XML file is modified to trust user certificates, facilitating the MITM attack.
- The process involves pulling APKs from the device, modifying them, and reinstalling the patched versions.
- Mitmproxy is used to intercept and analyze traffic from the Hinge app, revealing sensitive headers and user data.
- The technique showcases how Hinge can be repurposed for distributing data covertly through its platform.