Thursday, 28 July 2016

How i made Microsoft remove shorten links for Onedrive documents.

In the name of Allah the beneficent the Merciful.

 

Few months ago I  found vulnerability in Microsoft's Onedrive where i could have  get the editable link for documents in one drive from "view only" link.

  Proof of concept Steps:
1) Login as victim in browser A and go to onedrive.live.com
2) Upload any document or file and then open the document like this
https://onedrive.live.com/view.aspx?cid=0cf9bc876832caee&page=view&resid=CF9BC876832CAEE!106&parId=CF9BC876832CAEE!103&app=Word

3) Now open share and then create two links
  a) edit link
  b) View only link

4) After that shorten the links using "Shorten link" hyperlink beside
the edit link and view only link.
5) Then you can see a shortened link in this format
View only :
http://1drv.ms/1pFlbbq

Edit :
http://1drv.ms/1pFl93x

6) Notice that in above urls the only difference is last 3 characters.
7) Now give the view only link to attacker .
8) Attacker will use the view only link and he can predict the last 3
characters .

Hence it was possible to escalate the privilege and finally attacker
will get editable link for document.

Note :  characters in (http://1drv.ms/1pFlbbq)  were combination of a-z
 , A-Z and 0-9 only)
So, it was not difficult for attacker to  predict them.


Microsoft accepted the bug as valid and fixed the issue by completely removing shortened links . Now you can't do shorten the onedrive links . Microsoft also acknowledge me for Reporting the bug as security researcher.

 

  Iam very happy to safe the privacy of microsoft users data.


Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 

 

 

 


Microsoft user data privacy exposed -- Adding any microsoft user as family member and tracking their information

In the name of Allah the beneficent the Merciful.

 

Few months Ago i discovered CSRF issue in microsoft which could have let me add any microsoft user as family member and then track their information.


This was a serious issue in  https://account.microsoft.com/family#/
 By this bug i could have made the victim to accept family
member invitation.

Proof of Concept steps :

Suppose attacker has two emails  attacker@outlook.comattacker1@outlook.com
and victim has one email  victim@outlook.com

1)Login as attacker@outlook.com and  go to
https://account.microsoft.com/family#/
and then add victim@outlook.com as your child in family member section.

2) Then add attacker1@outlook.com also as child .

3) Microsoft will send an email to accept invitation to both the accounts
 attacker1@outlook.com and  victim@outlook.com .

4) Now attacker will go to   attacker1@outlook.com
and he will look for the invitation email .
It looks like this


https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=YXR0YWNrZXIxQG91dGxvb2suY29t&ma=0&lang=en-US

5) In the above link  see the parameter
email=

YXR0YWNrZXIxQG91dGxvb2suY29t

this is base 64 of attacker1@outlook.com

6) So, now attacker will base 64 victim's email address
i.e,,  base64(victim@outlook.com)  is  dmljdGltQG91dGxvb2suY29t

Now replace with the above email then it becomes



https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=
dmljdGltQG91dGxvb2suY29t&ma=0&lang=en-US



7) Now when you give the above link to victim@outlook.com it will ask
for confirmation .

Okay not bad there is mitigation for that as well :)

just append matchAccount=true  to the above url

then it will become like this





https://account.microsoft.com/family/invite-accept?invitationToken=ABQAFgEU1tvx-TFV0tYsdJFrOsNUa36IKGoOZgAADIAAABCKaYH-hI1ydg-ig5HcA8dywADb-R160uVY7cZdQyz65YRGk3hGQkUlI1rVLOOeXBsf5RFBm6Bf2LMTK604r6imsrAgMJqoA1UfWcBz4ceTBqc23iNphZRB3y1pWBXNxiSKh-CbKbzSQSaO8e7SUbSxujDbUDLtlulRuE5bc5afNnhIFIa6lM1sDghHj5kYt0nPcNqLJeVqNUdykXnUe4WRf9H9e7kzZUyqbPHYs69kAAJJY1oSF8dniMEG7x_JwkVzpOGkXCaZdwt_xJsxYjjAS7kgADrHkgB0cOsFV-fLJ9FlKXgfdtyMOHUXn4tl-4TTLGxD&cid=934985687410854638&email=
dmljdGltQG91dGxvb2suY29t&ma=0&lang=en-US&matchAccount=true



8) Perfect now when you give the above link to victim@outlook.com ,
then csrf will be performed  without his verification  .
And victim@outlook.com  will be verified as child of attacker@outlook.com


Impact of Vulnerability :
The impact of this bug was very dangerous.Attacker would have  get to know victim's activity , their history ,webbrowsing , could have blocked few websites for him , etc.

 Microsoft Has fixed the issue and acknowledge as security researcher.
Now it's no longer possible to add anyone as our family member.

  Iam very happy to safe the privacy of microsoft users data.

Here is CTF key :  596f755f676f745f696e746f5f626c6f67

Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 

 


Wednesday, 27 July 2016

Facebook's Acquisition Whatsapp Translate Open Redirection

In the name of Allah the beneficent the Merciful.

 

It was a thursday night (day before my semester exam) when i came to know that whatsapp is now a part of Facebook bug bounty and started hunting on it.
 Soon i discovered an open redirection Flaw in whatsapp translate website  translate.whatsapp.com .

Whatsapp translate has more than 10 million of it's users in all over the world.

Open redirection occurs when application doesn't validate the url which victim is visiting . This gives attacker to redirect victim's to malicious sites and perform phishing ,etc kind of attacks.

 

Here is the POST request 

 

GET /sign-in?next=http://google.com/ HTTP/1.1
Host: translate.whatsapp.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/49.0.2623.108 Chrome/49.0.2623.108 Safari/537.36
Referer: https://translate.whatsapp.com/ 

 

 

After sign in whatsapp translate would have redirected user to google.com .

 

Here is the Video Proof of Concept demonstrating attack.

 

 Unfortunately After few days i got response from Facebook Security Team saying it's a duplicate issue.

 

  

 

Thanks for Reading
Jai Hind  :) 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 

 

Tuesday, 24 May 2016

How I could have hacked Anyone's whatsapp translate account .

In the name of Allah the beneficent the Merciful.


It was a thursday night (day before my semester exam) when i came to know that whatsapp is now a part of Facebook bug bounty and started hunting
on it.
 Soon i discovered an account takeover Flaw in whatsapp translate website
translate.whatsapp.com .

Whatsapp translate has more than 10 million of it's users in all over the world.

The bug was Insecure Direct Object Reference in password reset functionality.

Here is the POST request :




POST /reset HTTP/1.1
Host: translate.whatsapp.com
Connection: keep-alive
Content-Length: 164
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://translate.whatsapp.com/
Upgrade-Insecure-Requests: 1
User-Agent:
 Referer: https://translate.whatsapp.com/reset?id=0eebabde1b2144a4942b54ad22393982
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __utmt=1;

csrfmiddlewaretoken=&password=&password_again=&username=&hash_id=0eebabde1b2144a4942b54ad22393982





The parameter "username" was vulnerable which could have let me changed
anyone's password .

Here Insecure Direct object Reference (IDOR) could be exploited in username parameter to gain control of anyone's whatsapp translate account.


Just by replacing the username with victim's username it's Game over!!!


Here is the video POC.

VIDEO

Facebook fixed the issue in production within 2 hours of acknowledgment




and rewarded $1000 USD for my work.





Now it's no more possible to exploit the IDOR here which was affecting more than 10 million users.



Timeline :


May 13, 2016 at 1:07 AM  : Bug Reported

May 18, 2016 at 12:11 AM : Escalated by Facebook

May 18, 2016 at 2:27 AM  : Bug fixed and asked for Confirmation .
   
May 25, 2016 at 5:18 AM  :  Bounty Rewarded. 



I would like to Thanks Facebook Security for quick fix of issue in production server and as usual happy to save the community from getting hacked.

Thanks for Reading
Jai Hind  :) 
 
 
 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 





Saturday, 30 April 2016

How I could have Hacked/Clickjacked all websites registered under Freebasics including Facebook ,Parse, Yahoo , Twitter, Paypal ,Synack,Bugcrowd,etc


In the name of Allah the beneficent the Merciful.


This is my first blog post on Bug Bounty POC.
It was a thursday morning as usual woke up at 5:30 AM.
After Fajr (Prayer) i opened my computer to  look for the emails and then
got an email from facebook regarding a website which is submitted to register under free basics.

Free Basics platform - service submission updated

Then i clicked the url which i got in message

https://partners.facebook.com/fbs/onboarding/?submission_id=xxxxxxxxxxxxx     

I was curious why facebook rejected my website submission so started pentesting in URL's field.

I clicked on edit the url and changed the url to a random url , but before clicking on Test i captured the simulator request in burpsuite.

I noticed that x-frame options are missing .
So , i quickly entered facebook.com in the url field and then captured  the GET request.

GET / HTTP/1.1
Host: https-m-facebook-com.simulator.freebasics.com

 After submitting the GET request i was shocked to see that freebasics simulator looks to be striping the x-frame header of facebook.com. 
Then i created clickjacking test page and luckily  facebook.com site was embeded into the frame .

As soon as i found this i quickly reported to facebook Security  facebook.com/whitehat .

Here is the  video POC link
Video POC 

https://www.youtube.com/watch?v=Q7BlHACEA64


After sometime i tried different websites  like

Yahoo :

GET / HTTP/1.1

Host: https-yahoo-com.simulator.freebasics.com

 

Twitter :

GET / HTTP/1.1

Host: https-twitter-com.simulator.freebasics.com



Github :

GET / HTTP/1.1

Host: https-github-com.simulator.freebasics.com


Parse :

GET / HTTP/1.1

Host: https-parse-com.simulator.freebasics.com


 Moves-app :

GET / HTTP/1.1

Host: https-accounts-moves--app-com.simulator.freebasics.com

 

 Paypal :

GET / HTTP/1.1

Host: https-paypal-com.simulator.freebasics.com


Bugcrowd :

GET / HTTP/1.1

Host: https-bugcrowd-com.simulator.freebasics.com


Synack :

 GET / HTTP/1.1

Host: https-synack-com.simulator.freebasics.com



And discovered that simulator was striping their x-frame options
so the contents of those pages were getting embedded into iframe .

Here is the VIDEO POC showing different sites getting clickjacked.
https://youtu.be/ptqQxFUZyZU

In the evening i got a message from facebook saying they can't reproduce.
So, i again tested and discovered that this bug exists in FireFox version 44.0.2 in Ubuntu OS.

And also to exploit this bug victim needs to authenticate to website through freebasics simulator which lowers the vulnerability impact.


Though the exploit is hard yet this bug simple bug would have Hacked
any site registered under freebasics.


Now after the bug is fixed , facebook.com is opted out of freebasics program
and they have put behind their simulator service for authentication creating i_org anti-csrf token , and also adjusted the clickjacking protection .

 

 

After the bug fixed is confirmed facebook Rewarded $500 USD 
for my work.



I would like to Thanks Neal Poole of facebook security for assisting the bug
and clarifying my questions on the issue.

Though the bounty seems to be low but iam happy that i saved the community
from getting hacked .

Thanks for Reading
Jai Hind  :)


Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0