Sunday, September 10, 2017

URL Whitelist Bypass - Accounts Google (accounts.google.com) - VRP

Written by   on   in , , , , , , , , , , , , , , , ,   with 2 comments
After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!

Details about the flaw:

Original link: https://accounts.google.com/signin/challenge/pwd/1?continue=https://mail.google.com/mail/&service=mail&hl=pt-PT&ss=1&scc=1&rm=false&osid=1&TL=AHnYQLyS15zLZZAZVOfOffY7nVH923l3UK6JSW9CP4YS7B4TRjiBSyJS38uns6KHZ6Z8z4Z8t-WGewKLoTVGUN8hMgYYXAHJwapRrNmZYIGaebn5_d23vO-KTOHFMZNBKUAPdiPZaKb2I2CFCXMLQ611QG6ThYSyjg==

This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to https://mail.google.com/mail/ .

Malicious link: https://accounts.google.com/b/0/recovery/summary?hl=pt-PT&service=mail&continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe&eprsic=AMkw5H1N7WAjwEmj5az8PPrL-OcQC9xur_e_f8yx9kyWEsc_OftPTFMBR4LpdJgCOkVMm-_kaPv9h0dULCcwNkXpfe6BqHDIDREMvd2CXXUI2BknlyYPp8LaxKeEeCmJoyHSi11TBErdcJhtrO67pQO4zRgqnpOo0cTasr5MRxPod5A9_KMmnkKKjaGXwKp-LEMn5-DRSsFI0fIRKRNsbSwWnwGdkCOT9HDxbb263YHTnlw9CFAomS8&authuser=0

If I change the parameter to ?continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.

Check out the video to know how a basic exploitation could be so dangerous!








Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation 
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email" 
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.



Share:

XSS - Santander Totta Portal (2014) - Full Disclosure

Written by   on   in , , , , , , , , , , , ,   with 3 comments
Back in 2014 I found a serious XSS vulnerability at Santander Totta Portal. This flaw allowed attackers to create high phishing schemes and highjack bank accounts.
At the time of reporting this issue, Santander Totta ignored the problem, for months, after Portuguese social media confront them with this situation. Exame Informatica and Visão published articles calling their attention for the problem that was fixed right after. 
Today I fully disclose this situation, as it won’t bring any problems to the bank, as they changed their platform.

This is a lesson to all the companies who receive free reports every day. Do not ignore the reports you receive from researchers. They dedicate their free time to protect the internet at no cost. If you don’t know what to do, reply to them and ask for help, they will certainly redirect you to competent services.

You can watch this vulnerability being exploited on the video bellow. Sorry for the bad quality.



Share: