Buca di Beppo — Italian Fine Dining with an Unpatched Bug
Spaghetti, Meatballs, Marinara and Cross-Site Scripting (XSS)
Believe me, I’m not trying to earn a “restaurant hacker” reputation after having recently revealed P.F. Chang’s security flaw, but I love pasta — Buca’s penne alla vodka pasta. I therefore find it my responsibility to report anything that comes between me and my $20 cheaper pasta!
Planet Hollywood restaurant chain, Buca di Beppo sends out regular offers and coupons to its esteemed eClub members in the form of newsletters. These offers are served via
offers.bucadibeppo.com subdomain within the email newsletters.
Within the eclectic emails in shades of the Italian flag and vintage art, lies a link and a barcode to access these offers.
Let’s take a look at a sample link:
https://offers.bucadibeppo.com/Coupons/XXXXX/?msg=…<Fishbowl newsletter link>...&firstname=firstname&lastname=lastname
Without paying much attention to the encoded Fishbowl Marketing (
fbmta ) link — it’s unrelated, it looks like Buca di Beppo’s
offers subdomain is using the
lastname GET parameters to populate the name on the coupon, which will appear in the red colored placeholder shown here:
And yes, these parameters are vulnerable to reflected Cross-Site Scripting (XSS) — CWE 79.
The first implication of this vulnerability, of course, is that the Firstname and Lastname can be set to anything practically voiding the “non-transferability” provision of the coupon.
More serious implications include phishing attacks — and that is the problematic outcome which can be exploited by spammers and hackers.
Proofs of Concept (PoCs)
1. Malicious XSS Injection(s)
The following URL, when clicked, creates an alert box along with the background with the words “You’ve been hacked.” to demonstrate that the website’s DOM has been overridden and therefore the Integrity can be completely compromised — the page cannot be trusted. The malicious actor could put an “enter your email address to verify” form field there, an iframe or worse.
2. Malicious Redirections
Of course, if popups are enabled on the user’s web browser, the malicious attacker is able to redirect oneself to a phishing page of their choice, with the domain portion of the URL still looking intact.
3. Session Hijacking & Cookies!
Session IDs and tracking cookies for
offers.bucadibeppo.com domains can be obtained and sent to the attacker for easy session hijacking. I’m not aware of the primary Buca di Beppo domain hosting any sensitive data (e.g. credit cards) but it remains a possibility in the near future. As of now, the “ordering” workflow is handled via a separate
Sample Cookie Data:
calltrk_referrer=https%3A//www.google.com/; calltrk_landing=https%3A//www.bucadibeppo.com/menu/dinner/; _ga=GA1.2.21XXXXX993.15XXXXXX234; _vwo_uuid_v2=DF895F798AB9C8DXXXXXXC3F0EEF07F|2173e9XXXXXX12b17ee72f89ec; rmStore=amid:4XXX2; __utmc=17XXXX98; __utmz=171340798.1529606382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); nmstat=1529606736836; _gid=GA1.2.1114072567.1529696594; _sp_id.48f6=6d1ff1fa-9998–4a0a-ad2b-f0196306c932.1528835234.4.1529704082.1529696595.e3a6ec23–06ff-4c61-acd7–6f2121683fbb; stc115049=env:1529702739%7C20180723212539%7C20180622221802%7C5%7C1045872:20190622214802|uid:1528835235666.53644404.52308464.115049.1213118440.:20190622214802|srchist:1045871%3A1%3A20180713202715%7C1045872%3A1529606470%3A20180722184110%7C1045871%3A1529607998%3A20180722190638%7C1045872%3A1529702739%3A20180723212539:20190622214802|tsa:1529702739241.1850241340.5621233.00753923185773186:20180622221802; __utma=171340798.2109460993.1528835234.1529702440.1529777219.5; __utmt=1; __utmb=1713407126.96.36.1999777219
Here are some pointers which would help remeditate XSS vulnerabilities — I figured we need not reinvent the wheel ;-)
I had originally discovered the vulnerability months ago — March 17th, 2018 to be exact. However, repeated attempts to reach Buca di Beppo electronically have either failed or been unfruitful. This has been the most difficult reporting process I have ever dealt with.
The email addresses
email@example.com and the private WHOIS contact for Buca di Beppo:
firstname.lastname@example.org both reject incoming emails from external email addresses — which, for a WHOIS email address, is very odd and even in violation of ICANN’s requirements: for domain owners to maintain an accurate WHOIS information.
The e-mail address
email@example.com seems to be for issues related to Gift Card Purchases only and maybe for, at most, customer service inquiries. I have made an attempt to reach out to them on both March 17th, 2018 and on June 21st, 2018 — I even tweeted at them publicly. After not receiving any response from the email address and Twitter, I sent out a courtesy e-mail about the vulnerability disclosure. As such the full disclosure is being made on Monday, June 25th, 2018.
Cattivo Buca, cattivo! I still love your Penne though.
© 2018. Akshay Sharma. All Rights Reserved.