Photobucket Private Album Access via CSRF
I've been playing a lot with CSRF lately. As I find ways to manipulate more and more services with what is probably the most basic type of attack possible, I keep getting surprised by the insanely cool things that one can do with it.
Photobucket allows users to make albums either "Public" or "Private", the latter of which will enable access only with a guest password. While chatting with a friend online recently, I tried to view one of her private albums. Knowing what I do for a living, she gave me permission to do so, but said I'd have to find my way in without her help. So I did.
The form for setting a private album's password, as well as the one for making an album public, both are vulnerable to CSRF. In fact, both use GET parameters to do their magic, so it's actually pretty trivial to pull off a successful attack. I wrote a proof of concept, but it's really not that complicated.
Not only can users' albums be made public, but variations on this exploit can be used to change passwords on albums, delete photos, and compromise account passwords. This really is a serious issue- while Photobucket's TOS may protect them from liability (and may or may not hold up in court), there are a lot of extremely private photos stored there.
I emailed a vulnerability report to Photobucket on the morning of 4-9-2009, but have not received a response.
Photobucket allows users to make albums either "Public" or "Private", the latter of which will enable access only with a guest password. While chatting with a friend online recently, I tried to view one of her private albums. Knowing what I do for a living, she gave me permission to do so, but said I'd have to find my way in without her help. So I did.
The form for setting a private album's password, as well as the one for making an album public, both are vulnerable to CSRF. In fact, both use GET parameters to do their magic, so it's actually pretty trivial to pull off a successful attack. I wrote a proof of concept, but it's really not that complicated.
Not only can users' albums be made public, but variations on this exploit can be used to change passwords on albums, delete photos, and compromise account passwords. This really is a serious issue- while Photobucket's TOS may protect them from liability (and may or may not hold up in court), there are a lot of extremely private photos stored there.
I emailed a vulnerability report to Photobucket on the morning of 4-9-2009, but have not received a response.
Labels: 0-Day, CSRF, Exploits, Full Disclosure, Photobucket, Web Applications
posted by mckt at
7:10 AM
10 Comments:
Photobucket just changed some settings, I guess. Not working anymore. =(
By
Anonymous, At
November 30, 2009 2:06 PM
this is a pretty handy way to get people to submit the links
http://trickeries.com/216/an-interesting-csrf-attack/
By
Anonymous, At
November 30, 2009 2:06 PM
My bad, I miscounted the days. Report was sent Thursday morning. In my experience, if they don't respond the first day, they don't respond at all.
By
mckt, At
November 30, 2009 2:06 PM
Isn't that a bit short of a delay before disclosing it ? I mean, it's easter and you emailed them on Friday, it's probable no one will read our email until tomorrow. I would have waited a week at the very least. Neat work anyways!
ekse
By
Sébastien Duquette, At
November 30, 2009 2:06 PM
seems like there is a new exploit
http://elurl.com/602
By
Anonymous, At
December 7, 2009 10:32 AM
Post a Comment
<< Home