in the behalf of any logged in user.
Hmm, it seems interesting
but still not exploitable, as there is no way for an attacker to get the
“Auth” value from a victim session.
2- Bypassing the CSRF Auth System:
The
CSRF Auth verifies every single request of that user, So what If an
attacker “not logged in” tries to make a “send money” request then
PayPal will ask the attacker to provide his email and password, The
attacker will provide the “Victim Email” and ANY password, Then he will
capture the request, The request will contain a Valid CSRF Auth token
Which is Reusable and Can authorise this specific user requests. Upon
Further Investigation, We have found out that an Attacker can obtain the
CSRF Auth which can be valid for ALL users, by intercepting the POST
request from a page that provide an Auth Token before the Logging-in
process, check this page for the magical CSRF Auth
“https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this
point the attacker Can CSRF “almost” any request on behalf of this user.
The application generates a valid "Auth" token for a logged-out user!
http://www.movilta.tk/
http://sh.st/fdcAe
http://sh.st/fdcKM
http://sh.st/d7CpS
http://sh.st/d7XAO
http://sh.st/fdc8E
http://sh.st/fdnIw
http://d2022.jimdo.com/
FacebookThe application generates a valid “Auth” token for a logged-out user!
Through
examination of the password change process, I have found that an
attacker can NOT Change the victim password without answering the
Security Questions set by user, Also the user himself can NOT change the
security questions without entering the password!
3- ByPassing the
Security Questions Change:
Screen Shot 2015
The initial process of “setting” security questions is not password protected and is reusable
After
further investigation, I have noticed that the request of setting up
the security questions “which is initiated by the user while signing up”
is not password-protected, and it can be reused to reset the security
questions up without providing the password, hence, Armed with the CSRF
Auth, an attacker can CSRF this process too and change the victim’s
Security questions.
At this point, An attacker can
conduct a targeted CSRF attack against a
PayPal users and take a full
control over his account Hence, An attacker can CSRF all the requests
including but not limited to:
1- Add/Remove/Confirm Email address
2-Add fully privileged users to business account
3- Change Security questions
4- Change Billing/Shipping Address
5- Change Payment methods
6- Change user settings(Notifications/Mobile settings) ………… and more.
To
automate the who process, I have coded a Python interactive server to
demonstrate how an attacker can exploit this vulnerability in a
real-life scenario attack.
2015
08.04
Microsoft-careers.com Remote Password Reset
Category: Security / Tag: Bug Bounty, Microsoft Security / 2 comments
Today
I am going to share this interesting vulnerability which allowed me to
change the passwords of all Microsoft Careers users.
Microsoft-careers.com is the Microsoft official recruiting website where
millions of people around the world has their CV’s uploaded there. As a
Job seeker :), I have registered and uploaded my resume there, a month
later, I tried to log in my account but as usual, I forgot my password
:( I went to “Forget my password” page and entered my Email, I checked
my email and found a message including this reset password link (
https://www.microsoft-careers.com/reset/ED504CCE-5056-9214-016F355013806D75/)
After clicking the link, I have been presented to a page where I should
enter my new
password, hmmmmm.. I fired up Burpsuite and intercepted the request was looks like
Microsoft-careers hacked
As
we can see in this POST request, the (id) value is being sent with the
request, with No authorisation key, So I have changed the ID value to
the ID of my test account, And YES, I cold change my test account
password :). Imagine if we made a small Python code to automate this
process, We can change all the password of all users within hours. After
reporting this vulnerability to Microsoft, They have patched it and
added my name to their Wall of Fame
On the Internet, you may often come across many websites that
claim to sell software programs to hack email passwords. Many of these
programs will promise you that they can gain access to any email account
with just a click of a button.
In reality, do such ready-made email hacking software exist and do they
really work? Well, before you try any such programs, it can be really
worth spending a ... .
omething broke. We will fix it shortly
