Iframe injection and XSS on over 20 000 websites (en)

I decided to walk on top alexarank http://www.alexa.com/topsites/countries/UA, I began to look for vulnerabilities on gismeteo.ua (20th place in country). There has been a redirect to the Russian version of https://www.gismeteo.ru/soft/, drew my attention to the support.

Support is located at https://gismeteo.userecho.com and loaded on gismeteo in iframe https://gismeteo.userecho.com/s/interframe.html?url=https://gismeteo.userecho.com/widget/forum /6-/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1. Then there is a form to create a ticket.

I tried to upload a website in iframe https://gismeteo.userecho.com/s/interframe.html?url=https://securityz.net, but it is not loaded. Then I realized that in addition to the feed url site still need other variables: lang, referer, xdm_e and others.

http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www .gismeteo.ru & xdm_c = default4178 & xdm_p = 1 and my site loaded in the frame.

Video https://www.youtube.com/watch?v=9P4A1AGxxYc .

It turned out that the owner userecho.com widget uses the same api at all sites for customer technical support, hence the conclusion that all of its customers vulnerable to iframe injection.

I find a list of the top http://userecho.com/clients/?lang=ru clients and understand that a lot of vulnerable clients – this is the most visited sites – drugvokrug.ru (social network, more than 5 million users) fl.ru (most popular freelance Exchange in Russian), easypay.ua (one of the most visited of payment systems in Ukraine), tankionline.com, ivi.ru, amiro.ru, okko.tv, insales.ru, a-lab.ru, scrapinghub.com, iridiummobile.net and many others. Almost all the sites are placed UserEcho widget on your subdomain, an example http://ask.drugvokrug.ru/, but some place it as a subdomain on userecho http://kontur.userecho.com/.

The vectors of attack:

To distribute a malicious link, you must first shorten the link goo.gl/GIYRUR, then:

  1. Mass send to forums and email addresses.
  2. Purposefully attack a specific user or administrator using this vulnerability.

It would be possible to send messages about vulnerability for each affected site, but the vulnerability would be promptly corrected developers userecho and I could not get anything from vulnerable sites or from the widget developers.

Therefore, I decided immediately to report the discovery of this plug-in developers.

09.01.2017 at 23:00 sent a bug report to the support userecho.com.

10.01.2017 at 00:10 vulnerability fixed and vulnerable file interframe.html  is deleted (comment from developers – interframe.html file is no longer available (deleted) and all the widgets work without file. Therefore, all working with the same API).

01.10.2017 at 02:14 developers paid a reward of $ 100 to me. A comment:

You must understand that we are not such a big company. In addition, it generally is the first time we decided to give someone a monetary reward.

Also, I found SELF XSS vulnerability in the support userecho and it is not going to fix, vulnerability affects more than 20 thousand sites, here’s an article https://securityz.wordpress.com/2017/01/10/self-xss_en/, and PoC. I hardly persuaded developers eliminate the iframe injection:

We saw on the logs that you play with interframe.html and understand why and how it was used. Only option was not clear how to use it to good use.

Since we now understand use cases and you are prompted to fix us, we are ready to transfer you  100USD.

Subscribe https://twitter.com/MaximYaremchuk for more articles)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s