How I was able to Read & Download Paypals X.com Users Private Email Attachments

Paypals X.com Failure to Restrict Url Access Vulnerability

I want to share one of my finding on Paypals X.com which I have reported to them in 3 January 2013.

I have found that Paypal X.com following Url https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt was vulnerable to Failure to Restrict Url Access Vulnerability as the email Attachments Url can be accessed without Login or Authentication nor there was any Authorization check or prevention to mitigate this attack.

Steps to Regenerate the Vulnerability:

1. Create two X.com Users account for testing or for regenerating the vulnerabiltity.

2. Using the 1st(ajaysinghnegi01) user account then I have composed an email message using the compose feature and attached a file named: failure to restrict url vul for any attachments.txt and then I have sent that mail to the 2nd(ajaysinghnegi02) user account.

3. The 2nd user can access that attached file using by logging into his account and by checking the recieved emails attachment by accessing the followiing Url https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt.

4. As this path is same for all email users emails attachments https://www.x.com/sites/default/files/ so the attacker crafts the Url from https://www.x.com/sites/default/files/ to https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt by adding the file name with the file extention and also he replaced each space with underscore(_). So he succesfully crafted the failure to restrict Url https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt to access any other X.com users attachments without logging.

Failure to Restrict Vulnerable Url(For Regenerating this Vulnerability Open this Url in Any Browser Without Login):

https://www.x.com/sites/default/files/failure_to_restrict_url_vul_for_any_attachments.txt

Impact: Using this Failure to Restrict Url Access Vulnerability an attacker can easily Read & Download all the private email attachments without logging and all the X.com users were vulnerable to this attack.

Recommendation:

The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.

The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.

The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.

If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.

The vulnerability was mitigated by Paypal Security Team within 3 days.

So in this way I was able to Read & Download Paypals X.com Users Private Email Attachments also this way can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.

Account Takeover Using Password Reset Vulnerability

Account Takeover Using Password Reset Functionality

While researching and working on bug bounties I have found that by using Password Reset Functionality, Token & Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can modify the email md5 hash to any victims email md5 hash to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to the user includes the email address md5 hash and also the password reset token can be used for other users. 

Steps to Execute the Attack:

There was a precondition that an attacker shall now the victims email id md5 hash value.

Attackers Email ID: attackeremailid@gmail.com and his password reset link:
http://testsite.com/reset-password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t2102fadb4bd021805624f06ea4c8e4d38

The 1st part in the password reset Url before '/' is password reset token and the second part is the md5 hash of the users email id in which the 1st 28 values (74q55426l4q5u5m5c4s5l5m5n5t2) are same for each users email ids and the remaining last values were different for each users email id as they were the users email id md5 hash value. So, the attacker can decrypt the email hash values easily using the online available md5 encrypters and decrypters like: http://md5decryption.com also sometimes some websites use base 64 encoding(or other encodings) which can also be easily decrypted using the online available base64 encoders and decoders like: http://ostermiller.org/calc/encode.html.

Attackers Email ID: attackeremailid@gmail.com md5 hash value:

102fadb4bd021805624f06ea4c8e4d38

Victims Email ID: victimemailid@gmail.com md5 hash value:

05ebb8fb6ec39f50d33e19cd5719084d

1st 28 values which is same for each users email id hash:
74q55426l4q5u5m5c4s5l5m5n5t2

Crafted Url to Reset the password of the Victims Email ID(i.e account)victimemailid@gmail.com:
http://testsite.com/reset-
password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t205ebb8fb6ec39f50d33e19cd5719084d

So in this way the attacker can Takeover on any users account.

                                       

Impact: 

The token generated for the activation link isn’t re-checked and no validation is done for associated emailID field, allowing an attacker to change the value to a known email address md5 hash value and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a  denial of service to users on the Application.

Recommendation: 

Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token instead of the email ID hash value and expired once the password has been reset. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.

So in this way one can Takeover on the victims accounts using the Password Reset Functionality, Token & Link also this way can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.