Man in THI middle is a man in the middle (MITM) vulnerability in the official app of Technische Hochschule Ingolstadt. It was discovered by two students while reverse engineering the API used by the app. An attacker who is in the same network or physically close to the victim can potentially sniff and modify traffic between the app and the API backend. This allows access to sensitive user data such as grades, home address and even login credentials.

Introduction

THI-App is an app for students and employees of the Technische Hochschule Ingolstadt. It includes a timetable, meal plans, exams and grades as well as a room search. It was originally developed as a Bachelor thesis, with further development being done by the university.

mitmproxy is an interactive HTTPS proxy. It can act as an intermediary between a client and a server, receiving each request from the client and forwarding it to the server. It is particularily useful when reverse engineering the way apps communicate with external servers. To decrypt HTTPS requests, mitmproxy will generate a self-signed TLS certificate which you have to manually install on your phone. This is necessary because the purpose of HTTPS is preventing unauthorized third parties from inspecting your network traffic.

Discovery

Some time in December 2020, due to our dissatisfaction with the official app, we decided to create our own app. To be able to implement our app, we wanted to document the backend of the official app. We fired up mitmproxy, installed the generated TLS certificate on our phone and configured it to route all network traffic through the proxy. Then we clicked on every option on the app, looked at the logged network requests and documented them for later use. Based on this, over the next couple of months, we developed a completely new web app based on React and Next.js. In the background, it used the original backend, so that no changes on the side of the university were needed.

At some point we realized we missed some functionality of the original app. We fired up mitmproxy again, configured our phone to route all requests through our proxy and observed the network requests. However, we forgot to install the mitmproxy certificates … and yet we were able to observe all of the apps network requests.

This should not be possible if HTTPS and TLS are correctly used. Us being able to decrypt the network traffic can only mean that the client is not correctly verifying the validity of the certificates that it was sent by the (alleged) server at hiplan.thi.de. It also means that the app has no protection against MITM attacks. Anyone who is in control of your network, and in some cases even just connected to the same network, can intercept all of the app’s network communication. For example, someone who runs a public Wi-Fi hotspot at your café or simply your friend who is connected to your network can intercept the app’s traffic. These requests include your username and password, which can be used to access your university email, the university management system and all other university resources in your name.

Mitigation

On Android, an updated version of the app that fixes the vulnerability is available in the Play Store. On iOS an update is still pending. This means you should avoid using the THI-App when connected to Wi-Fi networks that are shared with potential attackers. Be aware that simply opening a vulnerable version of the app when connected to an untrusted Wi-Fi network may compromise your university account.

Alternative clients, such as our neuland.app are not affected.

Demonstration Video

Disclosure Timeline

  • 2021-06-10: Discovery of the vulnerability
  • 2021-06-11: Report of the vulnerability to the THI
  • 2021-06-12: THI acknoledges the vulnerability and promises an update the following week
  • 2021-06-15: Proof of concept exploit using ARP spoofing
  • 2021-09-02: Update with fix is released for Android in the Google Play Store
  • 2021-12-22: Vulnerability is disclosed to the public
  • Today: No update for iOS released so far