CSRF account takeover in a company worth 1B$

Site not implementing Anti-CSRF tokens are easy to exploit, right? But it surprises you when company worth half of instagram (in past) not protecting their 3.2M customers account that’s why we are explaining the simple exploitation. CSRF (Cross site request forgery) is the vulnerability that tricks the user to submit the malicious request if there is no implementation of the Anti-CSRF tokens in the forms or site. When implemented your website https://vulnerables.com will include a random generated number or token to every page which is impossible to guess by the attacker so https://vulnerables.com will include it when they serve it to you. It differs each time they serve any page to anybody so attacker won’t be able to generate a valid request because of the wrong token.


Vulnerability: CSRF/XSRF (Cross site request forgery)
Severity: Critical
Owasp rank: (OTG-SESS-005)

Cross site request forgery (Unpatched)

  • The target is https://www.shutterfly.com
  • Create two accounts csrfattacker (Mozilla) and csrfvictim (Chrome) or you can also test it with one account.
  • After login in both accounts with different browsers go to account settings and click on edit in mozilla.
  • Open any web proxy tool to intercept the request of the profile change which you can see below
Request
  • We can exploit the form both ways manual/automated but we’ll show you automated exploitation with burp
  • Right click on request and select Engagement tools and click on ‘Generate PoC request’, Here copy HTML and save it as csrf.html.
Exploit
  • change the email id in the html if you want takeover with email. you can use password too for takeover. If you’re trying to exploit manually you can just use one ‘email’ field (Mendatory (*) fields are needed, rest you can delete) and exploit the request.
  • In new tab in chrome open csrf.html and click on submit request and you’ll get victim’s account with Email/Password, to cross verify you can refresh the first tab.
  • To prevent password account takeover simple put the mandatory field of ‘Enter old password: ’ → with this attacker won’t be able to guess the old password hence his/her CSRF exploit won’t work even if there is no use of Anti-CSRF token. (Only for password CSRFs)
  • Have a look at the video PoC
PoC

21-Sep-2018 → Bug Reported

25-sep-2018 → Bug Triaged

29-Sep-2018 → Bug Fixed

Have a happy hunting 😃