From CSRF to account takeover
Can you visit an online shop only to buy something? I can’t…as soon as the browser loads the site I think about possible bugs and exploitation techniques, I guess it’s an addiction or illness. :-D But I like it, it makes shopping a real adventure.
oneplus.net used CSRF protection to prevent unauthorized commands being sent under the context of the user. But it could be bypassed by sending a specially crafted CSRF token (form_key). I found out that their back end system couldn’t handle parameter values that started with a “-”. So form_keys starting with a “-” were accepted although they weren’t valid. This allowed an attacker to add arbitrary default addresses to a victim’s account.
Unfortunately all parameters were appropriately sanitized so I couldn’t weaponize it to a nice stored XSS. But that was not needed at all. ;-) Adding default addresses like MostEvil Guy living in the MilkyWay to random OnePlus accounts could be quite funny, but I didn’t want to leave without an account takeover.
Let’s get it started!
1.) Send the victim the CSRF exploit, use the telephone field! Offering someone to call you creates trust. 2.) Create an email account and make sure there’s a connection to your cover identity (added address), i.e. firstname.lastname@example.org 3.) Send a recovery request to accounts[
The “recovered” account will contain credit card data and (pending) orders…but it’s absolutely not worth the effort as long as phishing works that good…
OnePlus: “Taking into account the difficulty of this vulnerability being exploited(It requires a combination of sophisticated social engineering)，we can offer you a headset as gift to express our appreciation.”
The flaw was responsible reported to the awesome guys at security[
Thank you liuyingwei! Keep it up!