WP Bench spoof is being investigated by developer
Yesterday I told you about WP Bench being spoofed, Today I received a responce to my ‘Red Alert’ and the developer Robert Varga had this to say about the issue I raised…
I’ve contacted Microsoft if there’s any possibility to check whether device is locked or not (that’s the only info I could use for “trust/or not” decision during writing the data to database).But, you know, Tango is coming and it could again bring some more security
We’ll see! :-)
Thank you very much for red alert, I’ve deleted the junk. Hopefuly Microsoft will provide me some idea about my question I’ve mentioned on top.
(edited to remove comments that may identify the vulnerbility)
So with any luck Robert has an idea that will assist in detecting possible spoofed DeviceID’s enabling us to be more confident with the results displayed. I will be working with Robert Varga to detect such a DeviceID spoof in future and I will keep you posted of any future developments.
Ranzy
Gavin Bondurant
Schlubadub
Sweet
WinPhan7
den
Mischa
Vernon Smith
Me
Siddhartha Kumar
{ 4 comments… read them below or add one }
Yesterday’s iPhone 5 appearance created a lot of buzz. I just saw that 1800pocketpc also managed to spoof the database. I ain’t sure but I guess unlocked device can manipulate the data (device name and ID) and send it to WP Bench database. Are occasional gamer database and I’m WP7 database prone to similar vulnerability?
It was that exact record that started my spoofing attempts,
iPhone’s cannot run the WP Bench app, and therefore the record had to have been manipulated.
When a large number of handset records popped up within hours, (Nokia XXX, Nokia 930, iPhone 4s, etc) It was clear there was a vulnerability, Im glad the developer now knows the hole and is making every effort to fix it.
Yes. I was the first (I suppose) to notice the same. iPhone can not run .XAP file. This also puts the huge question on reliability of such data. I know, WP Bench and Occasional gamers data has provided a good insight in the past, but same can’t be said now.
Yes, even I post the same under ‘rumor’ category ;)
I am working with the developer to identify ‘possible spoofed DeviceID’s’ by checking if the handset is developer locked before writing to the database.
If the device is locked, the data is accurate and will go straight into the db,
If the device is unlocked, the data ‘may’ have been manipulated and therefore goes into a ‘approval necessary’ list for an admin to confirm//deny the record.
This way we can be more reliant on the data held in the WP Bench database, which is easier to report when new handsets found.
We always used the data as ‘unconfirmed’ or ‘rumor’ until the manufacturer releases a press release.