I decided to walk on top alexarank http://www.alexa.com/topsites/countries/UA, I began to look for vulnerabilities on gismeteo.ua (20th place in country). There has been a redirect to the Russian version of https://www.gismeteo.ru/soft/, drew my attention to the support.
Support is located at https://gismeteo.userecho.com and loaded on gismeteo in iframe https://gismeteo.userecho.com/s/interframe.html?url=https://gismeteo.userecho.com/widget/forum /6-/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1. Then there is a form to create a ticket.
I tried to upload a website in iframe https://gismeteo.userecho.com/s/interframe.html?url=https://securityz.net, but it is not loaded. Then I realized that in addition to the feed url site still need other variables: lang, referer, xdm_e and others.
http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www .gismeteo.ru & xdm_c = default4178 & xdm_p = 1 and my site loaded in the frame.
It turned out that the owner userecho.com widget uses the same api at all sites for customer technical support, hence the conclusion that all of its customers vulnerable to iframe injection.
I find a list of the top http://userecho.com/clients/?lang=ru clients and understand that a lot of vulnerable clients – this is the most visited sites – drugvokrug.ru (social network, more than 5 million users) fl.ru (most popular freelance Exchange in Russian), easypay.ua (one of the most visited of payment systems in Ukraine), tankionline.com, ivi.ru, amiro.ru, okko.tv, insales.ru, a-lab.ru, scrapinghub.com, iridiummobile.net and many others. Almost all the sites are placed UserEcho widget on your subdomain, an example http://ask.drugvokrug.ru/, but some place it as a subdomain on userecho http://kontur.userecho.com/.
The vectors of attack:
- 1. Phishing – Load your website, in which one in one same site as the original, and it can not be distinguished from the original, the victim enters their data and they come to me! (Login, password, credit card numbers, cvv2 – easypay.ua etc.). Example https://securityz.net/gismeteo.html?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1. I made a copy gismeteo site and if a person enters the username and password on gismeteo, they will come to me.
- 2. The introduction of advertising on the site iframe, and it can be issued for the advertising of an affected site. Example http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https:// http://www.gismeteo.ru & xdm_c = default4178 & xdm_p = 1.
To distribute a malicious link, you must first shorten the link goo.gl/GIYRUR, then:
- Mass send to forums and email addresses.
- Purposefully attack a specific user or administrator using this vulnerability.
It would be possible to send messages about vulnerability for each affected site, but the vulnerability would be promptly corrected developers userecho and I could not get anything from vulnerable sites or from the widget developers.
Therefore, I decided immediately to report the discovery of this plug-in developers.
09.01.2017 at 23:00 sent a bug report to the support userecho.com.
10.01.2017 at 00:10 vulnerability fixed and vulnerable file interframe.html is deleted (comment from developers – interframe.html file is no longer available (deleted) and all the widgets work without file. Therefore, all working with the same API).
01.10.2017 at 02:14 developers paid a reward of $ 100 to me. A comment:
You must understand that we are not such a big company. In addition, it generally is the first time we decided to give someone a monetary reward.
Also, I found SELF XSS vulnerability in the support userecho and it is not going to fix, vulnerability affects more than 20 thousand sites, here’s an article https://securityz.wordpress.com/2017/01/10/self-xss_en/, and PoC. I hardly persuaded developers eliminate the iframe injection:
We saw on the logs that you play with interframe.html and understand why and how it was used. Only option was not clear how to use it to good use.
Since we now understand use cases and you are prompted to fix us, we are ready to transfer you 100USD.
Subscribe https://twitter.com/MaximYaremchuk for more articles)