Today I came up with a description for one of the critical vulnerability that I found 5 months ago and it turned up to be a zero day in Lithium community Platform.
A little heads up about Lithium Community:
Lithium technologies business provides SaaS for Lithium’s proprietary community platforms. Pls go to https://en.wikipedia.org/wiki/Lithium_Technologies and http://www.lithium.com/ for more information on this product. The company sells its Lithium’s proprietary community platforms to many enterprise customers such as HP, Best Buy, Research In Motion, Sony, Comcast, PAYPAL, BT, VISA, Verizon, Symantec and AT&T.
As I said, Lithium Community platform is being used by 400+companies and among which many of them fall under fortune 500 as well. All these companies use Lithium platform for their community, forum and blog sites.
I brought to Lithium’s notice about this Zero day vulnerability in the month of July’2016 and they took almost 5 months to fix this vulnerability in their proprietary Community across all the clients they have around the world.
About the Vulnerability
Vulnerability Name : IDOR causes Deletion of Any Users Community Account for ever.
One can make use of this vulnerability to delete anyone’s account forever from the community. Attacker can delete the victim’s accounts which have personal information, accepted Solutions, Posts, messages, Topics, Blogs, Kudos, Friends list and Achievements from the community site forever. Once the account is deleted, victim cannot re-open it, rather needs to re-register as a new user. This vulnerability was so severe that an attacker could delete everyone accounts in the community with in matter of seconds.
This vulnerability was assigned as p1 (Critical Severity) by many companies who have their Bug Bounty program. Among the 400+ affected companies I have reported this Vulnerability to 9 companies through their bug bounty program. Reason behind the less count is lack of Bug bounty program. I am not sure whether the companies like BT, VISA, Verizon, BestBuy, HP, Palo alto, etc have fixed this vulnerability at their end or not, as there is no way to report these companies from my end. Hence, I request all those companies whom I haven’t reported about this vulnerability to test their sites and Fix this immediately to not to get Hit!
When I reported this to Lithium Community, I was told that they would fix this vulnerability one by one as in all of their 400+ Client sites in approximately 3 months of time. Finally, I got awarded with a total of 2000$ by 9 different companies who were using Lithium Community as their sites.
Among 400+sites below are some sites mentioned PAYPAL community site Verizon community sites:--http://forums.verizon.com/ ATT Forum:--https://forums.att.com/ Skype community:-http://community.skype.com/ Linksys community:--https://community.linksys.com/ SONY--http://community.eu.playstation.com/ PaloAlto community. https://talk.sonymobile.com/ Comcast:--http://forums.xfinity.com/ Orange:--http://communaute.orange.fr/ Apple discussion site:--https://discussions.apple.com/thread/5737090 HP support and community sites Black berry support forums:--https://supportforums.blackberry.com/ Hbo:--http://talk.hbo.com/ F-secure community:--http://community.f-secure.com/ https://supportforums.blackberry.com/ http://talk.hbo.com/ http://community.f-secure.com/ Lenovo Forum:--https://forums.lenovo.com/ Juniper forums:--http://forums.juniper.net/ http://www.wallstreet-online.de/ http://www.tripadvisor.ca/ https://telekomhilft.telekom.de/ http://www.banktech.com/ AND many More who uses Lithium Community platform
Proof of Concept:-
For POC I have created two accounts in community.[company].com,one is the victim’s and other is the attacker’s account.
Below POC will explain how attacker is able to delete victim’s account. VICTIM ACCOUNT;– John_victim ATTACKER ACCOUNT:– don_yahoo step1)Now attacker don_yahoo will Login in community.[company].com dashboard.
step2)Attacker will go to his community profile whose location is https://community.[company].com/t5/user/viewprofilepage/user-id/6161419,so attacker userID is 6161419 as seen in above URL.
step3)Now go to attacker’s personal-profile https://community.[company].com/t5/user/myprofilepage/tab/personal-profile
step4) There is an option to close Account.Close Account means delete account forever.Now when attacker clicks Close Account tab then he is raising a POST request .In that Post request there is attacker’s UserID in Request content.
step5)Make Burp proxy intercept ON
step6)Click Close Account and see the intercepted POST request step7)Change the UserID from attacker’s User ID 6161419 to victims User-ID 6344809.Do in Content section of Request not in cookies as in image1.png
step8)After forwarding the request you will get response page in browser asking for attacker username.Now give attacker username don_yahoo . step9) After submitting the request ,victims account get deleted.
VIDEO POC: https://youtu.be/nLAtXUhw65k
How to Get Victims User ID? Getting Victims user ID is very simple .Suppose john_victim is your target .Search john_victim public profile in community.[company].com search option.Get the public community profile and take the User Id from public profile URL as 6344809 for below victims. https://community.[company].com/t5/user/viewprofilepage/user-id/6344809.Public profile is accessible publicly and need no access.So anyone can access anyone’s public profile and get USER ID.
AWARDS and Recognition
|ATT||forums.ATT.com||250$+hall of fame|
|Paypal||paypal-community.com||200$+hall of fame|
|Spotify||community.spotify.com||500$+hall of fame|
|Ubiquity Networks||community.ubnt.com||500$+hall of fame|
|ING Bank||Many sites||400 Euro|
|Dutch Telekom||community site||300$+hall of fame|
|f-secure Networks||community.f-secure.com||Hall Of fame|
|Juniper Networks||community site||still under process.|
Publicly Disclosed by Ubiquity Networks through hackerone: https://hackerone.com/reports/156537
You can follow me in twitter https://twitter.com/vibs123i