Account takeover due to CSRF in "Account details" option on █████████
State Resolved (Closed)
Disclosed publicly 2019-01-11T13:02:29.557Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty
Collapse


Timeline
submitted a report to U.S. Dept Of Defense .
2018-09-15T14:41:48.657Z

Summary:
Hi DoD team,
similarly to the previous CSRF that I've reported, I've found another CSRF in the same domain, but on the Account details option.

Description:
The CSRF issue allows me to modify the datas of every victim that is targeted using the CSRF file, and leading to account takeover simply setting my email as email of the victim: logging out I can recover the password of the infected account using the attacker-email that has replaced the victim-email.

Step-by-step Reproduction Instructions

  1. Login as victim and check your infos in the account details
  2. Open the CSRF malicious file {F346689}
  3. Recheck the infos: now the email is different (also the username) {F346690}

(In the video the @ char is replaced with %40 (url encoded version of the @ char), but is due to a problem in the CSRF value, simply replacing %40 to @ in the email parameter, the @ char appears).

For account takeover now:

  1. Go in anonymous mode (now you're the attacker that hasn't access to the accounts)
  2. The victim has opened the CSRF file, so your email is setted in the victim's account
  3. Go on the login, and request the Forgot password option, inserting the email used for replace the one of the victim
  4. You obtain a link for reset the password (I've not done a video, but if you can't reproduce the steps I can do one for these steps also :))

Suggested Mitigation/Remediation Actions
Use captchas and CSRF-tokens for be sure that the victim is changing the datas knowing that.

Impact

The ██████████████████ShopCart has a POST CSRF issue also in the account details, that can lead to account takeover replacing the email of the victim with the email of the attacker, and requesting a new password using the Forgot password option.

Regards,
Frans

  • 0 attachments:
Activities::Comment
2018-09-15T14:41:49.283Z
Greetings from the Department of Defense (DoD), Thank you for supporting the DoD Vulnerability Disclosure Program (VDP). By submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense. The VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action. We will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action. Our goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved. Regards, The VDP Team


mik317 Activities::Comment
2018-09-15T15:12:29.957Z
Complete video PoC: {F346717} CSRF form file used for the PoC : {F346716}


ag3nt-z3 Activities::ReportSeverityUpdated
2018-09-18T15:38:14.440Z


ag3nt-z3 Activities::BugTriaged
2018-09-18T15:38:26.015Z
Greetings, We have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution. Thank you for bringing this vulnerability to our attention! We will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability. You will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know. Thanks again for supporting the DoD Vulnerability Disclosure Program. Regards, The VDP Team


ag3nt-z3 Activities::ReportSeverityUpdated
2018-09-18T15:38:27.358Z


ag3nt-j1 Activities::BugResolved
2018-12-17T17:06:50.945Z
Good news! The vulnerability you reported has been resolved and this report is now closed. If you have any further questions or disagree that the report is resolved, please let us know. Thank you for your time and effort to improve the security of the DoD information network. Regards, The VDP Team


mik317 Activities::AgreedOnGoingPublic
2018-12-30T19:18:13.378Z
Can we disclose partially (only the title or just a simple description) ? Regards, Mik


mik317 Activities::Comment
2019-01-03T10:51:44.192Z
Hi @ag3nt-j1 , @ag3nt-z3 and @ag3nt-s21 good new year and hope a better one :) Can we disclose (partially) some of my reports? Best, Mik


agent-1 Activities::Comment
2019-01-04T18:32:30.883Z
Mik, The following message is approved for public disclosure: A cross-site request forgery (CSRF) vulnerability was found on a Department of Defense (DoD) website which could allow an unauthorized account takeover. mik317 was able to demonstrate this vulnerability by setting the email as that of the victim using the CSRF file. Thank you for the disclosure of this vulnerability, and helping us increase the security of our website! Do you have a Twitter handle that we can tweet out a thanks to? @DC3VDP


mik317 Activities::Comment
2019-01-04T18:40:45.238Z
Hi @agent-1 , good new year and nice to meet you :) The message is perfect, like this program. No, I haven't any social, for me the best thank is see these reports resolved :) Perhaps, if you can send to me an email with the same text that you send on Twitter, I will really appreciate. (If possible, my email is [email protected] ) Best, Mik


agent-1 Activities::Comment
2019-01-04T18:49:15.621Z
Thanks Mik. It is nice to meet you as well. I gave you a shout-out anyway. https://twitter.com/DC3VDP/status/1081260229889835008 Keep up the great work! DC3 VDP Team


ag3nt-s21 Activities::Comment
2019-01-04T18:52:32.731Z
@mik317 Congrats on being our 1st researcher shoutout Tweet!! Keep bringing us those High and Critical vulns'!


mik317 Activities::Comment
2019-01-04T18:57:47.220Z
Thank you so much ;) Best, Mik


mik317 Activities::Comment
2019-01-04T18:59:58.990Z
Can we also disclose partially on this platform (HackerOne) ? Best, Mik


ag3nt-j1 Activities::Comment
2019-01-04T19:23:34.003Z
Hey Mik, I'm going to be playing around with trying to redact and disclose the report. If you see it come in and out of disclosure don't panic, trying to figure out how this thing works.


mik317 Activities::Comment
2019-01-04T20:09:27.108Z
Thank you so much, excuse me if I waste your time with these stuffs, but probably is one the best I've found :) If you have any doubt you can I'm here for help you (more or less I know how works) Cheers, Mik


ag3nt-j1 Activities::Comment
2019-01-04T20:39:57.773Z
All good Mik, we appreciate all the work and effort. I put in a request to H1 for a little more detail on what to expect when I publish this out as disclosed. Might be beginning of next week before I can publish this to you as I wait for a response.


mik317 Activities::Comment
2019-01-04T21:34:51.039Z
Thank you so much :) Regards, Mik


ag3nt-j1 Activities::AgreedOnGoingPublic
2019-01-11T13:02:29.517Z


ag3nt-j1 Activities::ReportBecamePublic
2019-01-11T13:02:29.581Z


mik317 Activities::Comment
2019-01-11T13:16:25.510Z
Thank you so much @ag3nt-j1 , @ag3nt-s21 , @ag3nt-z3 and @agent-1 . Always the best :) Hope you'll pass a good year ;) Regards, Mik