Tuesday, September 7, 2010

Watch out for vulnerabilities in 3rd party applications on your site's domain.

In the past few years it has become common for site owners to run 3rd party tools on their site. A good example would be Wordpress or other blogs, installations of which are typically located on a subdomain such as http://blog.example.com. Often times these addons are not even hosted by the site owner, instead they are hosted by the third party and the domain owner simply sets up a DNS CNAME record to direct traffic. Recall that any subdomain can set its document.domain to any right hand qualified fragment of its domain in order to obtain permissions through the same origin policy. Many sites now set their document.domain to the top level domain, thereby allowing any scripts running on subdomains to obtain same origin access to anything on the site.

Despite its danger, this practice is so widespread that even Facebook was known for doing it frequently. I say that in the past tense because I was able to take advantage of this to find multiple cross site scripting vulnerabilities affecting http://facebook.com. After I reported the issues Facebook performed a complete audit of everything hosted on their subdomains. As a result, sites like the developer forum and bugzilla have been moved to Facebook.net.

It all started when I noticed that Facebook had once set up a UserVoice (http://www.uservoice.com) account, accessible via http://feedback.developers.facebook.com but hosted by UserVoice. At some point they had chosen to close their account, but they left the domain settings untouched.

I followed the following process to craft a proof of concept exploit:

  1. Signed up for UserVoice
  2. Purchased the most expensive $500/Month account, with a 30 day trial. This account allows for custom HTML, Javascript, and domains.
  3. Configured the account to use the previously active http://feedback.developers.facebook.com domain. No confirmation process was required and UserVoice allowed me to take the domain even though it had been previously used by an inactive account.
  4. Wrote a proof of concept exploit which set the site document.domain to "facebook.com" and then hijacked the user's session.

In this case, Facebook was able to fix this vulnerability simply by disabling the http://feedback.developers.facebook.com domain.

I also notified UserVoice about this issue, along with a related issue that would allow a hacker to hijack the sessions of UserVoice users. Here was their response:

Hi George,

First of all thank you for bringing these issues to our attention and for working with us to get them sorted. Our next steps are to:

* Modify the way sessions are created so that they are site-specific (x.uservoice.com). Once a session is created on a specific subdomain it cannot be reused on any others.
* We will prevent any new account from using the cname of a previous account (even if it's been deleted).

We will have this in place before the 14th and I'll let you know when that's the case.

Thanks again,

Richard White
CEO, UserVoice.com

Next, I was able to identify multiple publicly disclosed cross site scripting vulnerabilities present in the outdated version of Bugzilla once located at http://bugs.developers.facebook.com (now moved to http://bugs.developers.facebook.net). As with the UserVoice exploit, I was able to quickly craft the same session hijacking proof of concept exploit.

So what's the conclusion to all this? Don't allow your site to be exposed to vulnerabilities in 3rd party tools such as Wordpress, UserVoice, GetSatisfaction, Tumblr, etc. by hosting them on subdomains. If your primary site's document.domain is a top level domain then any vulnerability in a 3rd party site located on a subdomain is the same as a vulnerability in your site (And you have much less control over the security of 3rd party tools). The only case in which it is truly safe to host 3rd party applications on a subdomain is if your primary site uses a document.domain starting with "www" or similar.

15 comments:

Alex Goretoy said...

Nice article. I had done some facebook hacking myself in the past. Nothing of this caliber of course. Just messing around with user tracking with profile boxes and other basic fb apps. I have removed my fb account since then due to the lack of security in there part.

Unknown said...

Great review. I am sending it onto my business partner who is a developer. Thanks!

Unknown said...

Interesting article, good work

Eric D. Maldonado said...

Omaha Local Best
Lincoln Local Best
Laredo Local Best
Fort Wayne Local Best

west Palm said...

thanks for this post and if u want to know more about natural therapy kindly visit Injury Clinic west palm beach

Credit immobilier paris 17 said...

It's an amazing post thanks a lot

Hit Suites Avcılar Hotel said...

Hit Suites Avcılar Otel

inamulhaq1122 said...


Pakistan super league (Urdu: پاکستان سپر لیگ‎; PSL) is a professional twenty cricket league, based in Lahore on 9 September 2015 with five teams and now accommodates six teams. Rather than working as an affiliation of independently owned groups. The league is a single entity in which every franchise is own and controlling by way of buyers.

srbijaoglasi said...

Really great post here. I can see the effort and time you put into this… and I love the approach you took to lay it all out.
press for bacon
TV EXPOSED
free stock images
Srem Portal
dostava cveca
licni oglasi


On The Come Up said...

Nice modeling

bokij said...

Great way to to prove you are the best.
News
Chia Coin
Original Art for Sale
internet speedtest
Olej CBD
Polovni automobili
gossip girl

Robert Charles said...

The extremely diligent and earnest Netflix customer support professionals attend to the call instantly without any delay, as they understand the need for the uninterrupted entertainment experience.

netflix.com/activate
www netflix com activate

Konopne Porady Blog said...

Recommend a website https://konopna-farmacja.com

Unknown said...

Watch Online Bhagya Lakshmi Hindi TV Serial, Latest Episode of Bhagya Lakshmi on
Bhagya Lakshmi Desi Serial

Admin said...
This comment has been removed by the author.

Post a Comment