Sunday, November 15, 2015

Bugbounty - Password returned in the response in cleartext

Another interesting bug, that I found in www.tagged.com. As you know www.tagged.com & www.hi5.com are pretty famous and old social media. Design and functionality of these two domains are pretty similar.









Submitted:
2014-01-01 00:24:25 UTC

URL: https://secure.tagged.com/api 

Affected Parameters: oldPass, newPass, confPass

Description: I observed that when authenticated user tried to change his password, he had to submit old password & new password in the form. As soon as user clicked on submit, application pops up with the CAPTCHA dialogue box which had a submitted new password in the response of it.

Impact: Since cache control was present in the application, this vulnerability does not have any direct business impact however it falls under security best practices.

Original Request:

GET /account_info.html?password_old=jonnybravo&password_new=momma123&password_conf=momma123 HTTP/1.1
Host: secure.tagged.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://secure.tagged.com/account_info.html?dataSource=EditProfile$ll=nav
Cookie: S=o476g5gb7m2glrodb7sh0cjh67; B=b=7F9AC288B67E5B41; _ga=GA1.2.648228562.1388332761; lithiumSSO%3A=~2iGjoOFNaCEVzd6dj~5JAFRpjKiQDJ7qAi0kKxS3eO_vjoPuWvzZTMTpbkqqLKNo-0RiY3_QRFDe8fApzUQ9GOWwH2_PWZ1QBjcWugRUxqCkU6nSJbnxBPvCjPNf3Mjnq5s7mol-TCVASqdUVWF-u18Ym1VTyB_t423n9JjQ6ekF6eAaDfTPw3_b13t4oNaKVdetspqxMcx3z0KzIKn0uKH9dVuS-TF4l5Oi_YiCSNdczsjOiefI7YhV6rWkPuudv0PnegRF-lKLpAUVbYw4-Y1J8CW13_Oshd6NJlvGJ8qMxnXnEQMQVXty9TzeU.; L=19s2iCSMWxgp.1iMRFL.5BLRLn; __qca=P0-1915938237-1388534381697; __utma=50703532.648228562.1388332761.1388534382.1388534382.1; __utmb=50703532.0.10.1388534382; __utmc=50703532; __utmz=50703532.1388534382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=228476703.648228562.1388332761.1388534386.1388534386.1; __utmb=228476703.0.10.1388534386; __utmc=228476703; __utmz=228476703.1388534386.1.1.utmcsr=tagged.com|utmccn=(referral)|utmcmd=referral|utmcct=/home.html
Connection: keep-alive


Original Response:

HTTP/1.1 200 OK
Date: Wed, 01 Jan 2014 00:02:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: S=o476g5gb7m2glrodb7sh0cjh67; expires=Fri, 31-Jan-2014 00:02:33 GMT; path=/; domain=.tagged.com
Vary: Accept-Encoding,User-Agent
Content-Length: 1083
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

["{\"stat\":\"security\",\"diagnostics\":\"0 3.1 24.100\",\"result\":{\"code\":1,\"message\":\"That action requires a captcha.\",\"origCallObj\":{\"method\":\"tagged.account.setPassword\",\"api_signature\":\"\",\"track\":\"29GiaKHbAC\",\"oldPass\":\"jonnybravo\",\"newPass\":\"momma123\",\"confPass\":\"momma123\",\"application_id\":\"user\",\"format\":\"JSON\",\"session_token\":\"o476g5gb7m2glrodb7sh0cjh67\"},\"captchaHtml\":\"\\n
\\n
--- Ignore Post Response ---

No comments: