It turns out the question form contained an XSS vulnerability :)
The form actually posted to Jotform.me, not Facebook. Looks like it's a third party plugin of some kind?
To gain access to Erin's Jotform account all we'd need to do is submit a standard XSS payload through the Facebook form and wait until she views her submissions on the Jotform site. It's almost too easy.
Now the clever ones among you may have noticed the irony of this situation. By gaining access to the Facebook JotForm account we'd be able to see all of the privacy questions people submitted through the Facebook site. Essentially breaching the privacy of people's privacy questions!
Privacy breaches aside, we could also target Erin directly with social engineering, redirect her to our own malicious site with the latest Adobe/Java exploits or a phishing page. XSS is really just the first step, there are many ways we could potentially drop the pwnage.
Speaking of pwnage...
Pwning every JotForm user
Although I didn't test this, it appears that it would be trivial to exploit almost every JotForm user by simply submitting malicious post requests across multiple account IDs. Post requests are non-authenticated and sent to a predictable URL:
With a little python/perl/ruby we could easily create a script to iterate through those ID numbers.
Or to speed this up we could distribute the attack by creating a worm that used some javascript to force users into re-posting to many different IDs thus spreading the payload. Gradually we'd compromise every single JotForm user. Nice.
Preventing stored XSS
Addressing XSS is usually straight forward. Some basic filtering/encoding of quotes and brackets normally does the job. However because Jotform actually used the tags from user submissions they had decided to implement a blacklist approach to filter malicious content. While this provided some protection it was trivial to evade.
As we saw earlier they missed the image event handler. They also missed the embed tag that I mentioned in my last post:
I've only covered the obvious examples, no doubt there are many more XSS vectors lurking on JotForm :)
Lesson number one, never trust third parties. If they get hacked, you get hacked.
Lesson number two, don't allow the inclusion of user defined HTML, it's just asking for trouble.
Both Facebook and Jotform were notified of these issues and they have now been fixed. Thanks to both companies for the quick responses!
Pwndizzle out
Erin where you at?
I assumed the question would be sent straight to Facebook but I was curious exactly how/where. Looking at the page code I saw something similar to the following:
The form actually posted to Jotform.me, not Facebook. Looks like it's a third party plugin of some kind?
The Jotform form
To better understand what was going on I headed to Jotform.com and signed up for a free account. I created a form identical to the Facebook form and injected an XSS image payload into every field.
When I viewed my submissions page I got the following:
To better understand what was going on I headed to Jotform.com and signed up for a free account. I created a form identical to the Facebook form and injected an XSS image payload into every field.
When I viewed my submissions page I got the following:
Looks like we've found a stored XSS vulnerability. Digging into the page code you can see that we didn't even need to break out of an attribute, html tags are just accepted and rendered! Uh oh.
To gain access to Erin's Jotform account all we'd need to do is submit a standard XSS payload through the Facebook form and wait until she views her submissions on the Jotform site. It's almost too easy.
Now the clever ones among you may have noticed the irony of this situation. By gaining access to the Facebook JotForm account we'd be able to see all of the privacy questions people submitted through the Facebook site. Essentially breaching the privacy of people's privacy questions!
Privacy breaches aside, we could also target Erin directly with social engineering, redirect her to our own malicious site with the latest Adobe/Java exploits or a phishing page. XSS is really just the first step, there are many ways we could potentially drop the pwnage.
Speaking of pwnage...
Pwning every JotForm user
Although I didn't test this, it appears that it would be trivial to exploit almost every JotForm user by simply submitting malicious post requests across multiple account IDs. Post requests are non-authenticated and sent to a predictable URL:
e.g. http://submit.jotform.me/submit/30563167563456
With a little python/perl/ruby we could easily create a script to iterate through those ID numbers.
Or to speed this up we could distribute the attack by creating a worm that used some javascript to force users into re-posting to many different IDs thus spreading the payload. Gradually we'd compromise every single JotForm user. Nice.
Preventing stored XSS
Addressing XSS is usually straight forward. Some basic filtering/encoding of quotes and brackets normally does the job. However because Jotform actually used the tags from user submissions they had decided to implement a blacklist approach to filter malicious content. While this provided some protection it was trivial to evade.
As we saw earlier they missed the image event handler. They also missed the embed tag that I mentioned in my last post:
I've only covered the obvious examples, no doubt there are many more XSS vectors lurking on JotForm :)
Conclusion
Lesson number one, never trust third parties. If they get hacked, you get hacked.
Lesson number two, don't allow the inclusion of user defined HTML, it's just asking for trouble.
Both Facebook and Jotform were notified of these issues and they have now been fixed. Thanks to both companies for the quick responses!
Pwndizzle out
The postings on your site are always excellent.
ReplyDeleteadult service
school fees management system
ReplyDeleteschool billing software
school management solution
educational management software
Thanks for the best share and i loved it,
ReplyDeletecinema hd alternatives
Hi....
ReplyDeleteyour machine and performs unwanted tasks, often for some third party's benefit. ... Protects your privacy on Facebook by checking settings and recommending.
You are also read more Home Loan Emi Calculator