Most people agree that conferences are fantastic places to source for engaged and interesting candidates. Regardless of industry, people who attend conferences are trying to get better at their crafts, network with their peers, and maybe even find new jobs. But it’s tough to find those attendee lists, and it’s gotten harder.
(Photo Credit: Sarah Goldberg)
Here’s where Aaron Lintz comes in. Lintz is one of the top sourcers in the game, and he delivered an outstanding keynote presentation – fittingly titled Conference List Gold – about all of the ways to find lists of folks who attend conferences. Now’s a good time to offer the disclaimer that this is intended for research purposes only, and there are ways for conference apps to protect their data (and independent security firms to help them audit it!).
Sourcing is all about experimentation, and most of this information is findable if you test it out enough. For this keynote, Lintz demonstrated precisely what this experimentation can look like at its best: find your target (in this case, one of the apps that conference organizers use to send messages out to attendees), figure out the pattern to get into it (in this case, often the database behind an API call), and iterate it throughout all the future targets.
(Credit: Aaron Lintz)
After you identify your target, it’s time to equip yourself with all of the tools you need. These tools will help you make, manipulate, test, and record API calls and other HTTP traffic. Here are some free options:
- Postman
- Fiddler
- Burpsuite
- Wireshark
- Zap, which is open-source.
- Your browser, often accessed through either “ctrl+shift+i” or ⌘ + Option + i
In addition to these tools, you’ll need some way of accessing and recording mobile apps. You can either install packet capture or route all of your traffic through a proxy. You might also need an android phone, a jailbroken iPhone, or a good emulator. Finally, you’ll need a way of convincing the API that you deserve to be there – a patch to the SSL certificate – like AndoidSSL-TrustKiller. Good security developers can detect this modification and crash the app, though, so be prepared that this might not always work.
Once you’ve figured out those tools, it’s time to start playing around and dig into the data! What we’re looking for is data that’s stored away behind the front-facing app. When you install an app and navigate to an attendee’s profile, you might see some necessary information like their name and bio, but that information is loaded from (and stored) somewhere else. That data is the gold we’re going after.
Lintz used the IEEE Women in Engineering International Leadership conference app as an example. When you break it down, the steps are relatively straightforward:
- Install the app
- Turn on packet capture
- Hit record
- Open the app & navigate to attendees
- Hit stop
- Open the recording and look for secrets
When you look through the logs, you’ll see different API calls marked “GET.” Those calls go to the attendee list, as Lintz highlighted below. As you can see, this URL isn’t encrypted at all – if you type it into your browser, you can open up the whole list (and much of the app), even from your desktop or laptop.
(Credit: Aaron Lintz)
This URL is an excellent start if all you’re looking for is names, but there’s much more information hidden in the app (and exportable in a .csv). If you’ve been playing around with DataMiner, you might be able to scrape it, but we can go one more step with a little URL manipulation.
What we have now is https://eventmobi.com/ieeewieilc/attendees/194191. We want to see the back end of this and look at the API since that has much more information. Back in your browser, you can view the page source and see the API link: api.eventmobi.com/en/api/v1/events/ieeewieilc/. That’s the API for the whole app, though, and not just the attendee section. So we go back to the link we found earlier, and do a little URL manipulation: api.eventmobi.com/en/api/v1/events/IEEEWIEILC/sections/194191.
If you follow this link, you’ll get a long XML file with all of the data. It isn’t too hard to convert XML to a .CSV, but it takes a few steps. First, you have to convert the XML to JSON (just add .json to the end of the URL: http://api.eventmobi.com/en/api/v1/events/IEEEWIEILC/sections/194191.json). Once you have the JSON text, you can copy and paste it into a free converter, then download your CSV!
(photo credit: Aaron Lintz)
This gives you the name, title, company, and some social profiles of more than two hundred attendees to the conference – all of the attendees who created profiles on the conference app!
Once you figure out how to do this, keep iterating it with different events. See what you can find out by unlocking the backend of an app, and keep experimenting even as event organizers catch on and secure their data even more strongly! Safes only work when you use them, as Lintz reminded us. Sometimes, organizers will create extremely secure apps, and then share out the passwords on unsecure forums indexed by Google. It never hurts to do some digging to see if you can get in through the front door, too. SourceCon Royale’s Social Engineering theme reminded us all that we often overlook all of the signals we send out about ourselves, and conference app designers are no different from the rest of us sometimes!
(Headline photo credit: Jimmy Nguyen)