Conversation
|
Evgenii Devisok seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
|
||
| Interceptor.attach(f, { | ||
| onLeave: function (retvalue) { | ||
| retvalue.replace(1); |
There was a problem hiding this comment.
This is definitely interesting, but it's tricky - right now all the existing scripts allow TLS interception just by the one extra MitM CA, but this line disables TLS validation completely for this code 😬
That creates some potential security problems. Even if you're intercepting Instagram traffic yourself, you probably don't want the risk that anybody on your local network could intercept you and steal your Instagram account.
All the other hooks handle this by using related APIs to actually validate the certificate, and just trust the one extra cert that's configured. That doesn't have this problem, but I think that's impractically difficult here since there's no public code & docs available for libliger anywhere I can see. We can't easily tell what certificate this function is handling.
I think there's probably a route through here. What do you think about adding a ENABLE_INSECURE_HOOKS variable in config.js, defaulting to false, and then:
- This hook checks that variable, inside this function here.
- If
false, the first time the hook runs, it prints a "Insecure hook required" message with instructions: setENABLE_INSECURE_HOOKS=truein config.js, but be aware that this is insecure and you could be intercepted by others on your network. - If
true, run this line as here and disable TLS.
| }); | ||
|
|
||
| function hook_proxygen_SSLVerification(library) { | ||
| const functionName = "_ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE"; |
There was a problem hiding this comment.
Any idea how consistent this name is? It looks like the kind of thing that might change frequently between releases.
Can we match against this instead, with something like *proxygen*SSLVerification*verifyWithMetrics*FailureVerificationCallbacks*? That seems likely to be sufficiently specific but much less likely to change in future.
There was a problem hiding this comment.
I don't know, this method name is taken from libliger.so. It works.
|
I currently exploring solutions to this, but unfortunately the Meta apps have changed significantly since this was written (libliger.so is no longer present) so this approach doesn't work. I'll close this. |
3 participants
Added facebook proxygen ssl verifiction hook. Instagram wouldn't work without it.