Just a quick one as I found this interesting. Corsair have this nifty little automated web page they send you when you need to return something to them that gives you a form with their address and a barcode on, as well as your return address.
Judging by the formation of the URL, it’s pretty easy to work out it’s structure:
That seems fine, but I was curious as to what happened if I were to run the request without the “n” parameter?
Ah, we get our form, but no personal information in the top left. Okay, one last go, what if we set “n” to any random string, lets say for example, “sansisthebestundertalecharacter”.
Uh oh… so it seems, whilst it will not work sans the “n” parameter (undertale pun intended), it will happily give us the info request just with the n parameter set.
So all it takes is a little python scripting, and you can make a hacky little script like this to iterate through ticket numbers in a similar range and try to dump the addresses:
As you can see from the small sample provided, it isn’t hard to rip the database, and given I ripped 300~ so addresses successfully in 5 minutes or so, I could end up with a ton of data given enough time. Or you could say, a skele-ton. :>
You can find my Python script (corsair.py) here. When testing it initially it did seem to give database errors occasionally from Oracle so I might need to tweak with how many connection the AsyncHTTPClient is making… This has been reported to Corsair who…
January 22nd — First discovered and attempted to contact Corsair.
January 28th — First informed Corsair of vulnerability.
February 9th — Got in touch with GloriousGe0rge thanks to the /r/PCMasterRace moderators (shout out to these guys!)
February 9th (2 hours later) — It’s fixed! Shout outs to Corsair for having possibly the fastest bug response time I’ve ever seen. Big shouts to GloriousGe0rge as well for contacting me so quickly and treating it very seriously and professionally.
Hope you enjoyed the read :) Any questions about how it worked I may have left vague, feel free to shoot me up on Twitter (@rubiimeow) or in the comments here!