Friendliest Account takeover “feature” We Discovered on Clients site

Posted on June 7, 2017July 5, 2017Categories Uncategorized

We were working on a clients site and found a lot of common security flaws, but we are only going to discuss one security flaw in this article. We spoke to other researchers and no one had ever seen a security flaw like this before, and the only reason for it is because it was a hidden feature that has since been removed shortly after we informed them of it.

The website had a form for you to sign up, which in itself is completely normal. The website was designed for a few towns to use and required to know the address of where you lived. Again, that seems normal, but this site had proven to have a lot of unusual programming within it, so we entered an address that no one signed up with the service lived at and submitted our registration.

The website didn’t accept our registration, instead it came back with a very friendly response and said “It appears you’ve already signed up with us!” It then asked if we lived at a different address somewhere nearby, thinking that we had made a typo so we clicked yes. This lead to the friendliest account takeover by design that we’ve ever seen.

The website designers had gone to the extra length to make the site try and find addresses that were already in the database or nearby and then let you in without any authentication. We’re not sure what they were thinking when they made that flaw, but it truly was the nicest account takeover we’ve ever seen. This feature could’ve been used by a criminal with addresses from the towns and automatically populate the form to takeover all the accounts, that had credit card info and other information.

We found another flaw in the site that we won’t go into great detail, but it would allow you to try and login to the site as any user it could pull from the database, if you entered a specially crafted url. We also discovered a bunch of cross site scripting and other security vulnerabilities.

This was an extremely interesting project, to say the least. What can you learn from it? Never underestimate programmers and what unusual things they will program into their system that a criminal could use.