[Critical] Bypass CSRF protection on IBM
What is CSRF attack?
CSRF is an attack that tricks the victim to send a malicious request this request can change the victim information like Email, Username, Passwords and etc…
What did I found on IBM?
when trying to change my email on my test account I notice that the website change it by using a GET request
( https://www.ibm.com/ibmweb/myibm/account/sendmail?locale=us-en&email=NEW_EMAIL )
this link used to change the email so I didn’t notice any CSRF token to protect the website from the CSRF attack I try to exploit it but it’s not worked because of the website check the Referer Header :( I was like:
but I tried more and after a few hours I found a Bypass to this protection when I change the Referer Header value it returned an error but when I use this value it returned true
( https://www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp )
so I tried to spoof this protection and I found a bypass by using this URL
( http://my_website/www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp.php )
what I did is make the valid URL as a path on my website so now the request will be sent from ( profile-edit.jsp.php )to the IBM website to change the email when I try this method it worked I was like:
So now I can steal the accounts of IBM users by just visit my website :P.
Report Sent: Sep 14th
Triaged on: Sep 28th
Solved on: Oct 8th
I hope that this topic helped someone and I want to thank @zseano for helping me.