Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
BugBounty-InformationDisclosureatPayPalandXoom(PayPalAcquisition)viaSearchEngine
(Enumeratingthelistofemailandotherinformationviasearchengine)
Dec26th,2017
@YoKoAcc([email protected])
[EnglishVersion]
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|2
RevisionDetail
Version Date Detail
0.1 Dec26th,2017 -
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|3
TableofContents
RevisionDetail........................................................................................................................................2
TableofContents...................................................................................................................................3
TableofFigures......................................................................................................................................4
ListofTable............................................................................................................................................4
I. ABSTRACT..........................................................................................................................................5
II. INTRODUCTION.................................................................................................................................5
2.1.PayPal’sTransactionParameteratHTTPRequest.....................................................................7
2.2.Xoom’sIssueRelatedInformationDisclosure............................................................................7
2.2.1.Xoom’sUserEnumerationPreventionConcept...............................................................7
2.2.2.Xoom’sReferrerParameter..............................................................................................8
III.SUMMARYOFISSUE..........................................................................................................................8
IV.PROOFOFCONCEPT..........................................................................................................................9
4.1.EnumeratingtheListofEmailAddressatXoom........................................................................9
4.2.EnumeratingtheListofSomeInformationatPayPal..............................................................10
V. RECOMMENDATION........................................................................................................................12
VI.ADDITIONALINFORMATION............................................................................................................12
VII.LESSONLEARNED...........................................................................................................................13
VIII.ADDITIONALNOTE........................................................................................................................13
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|4
TableofFigures
Figure1CommonBlockingRules-viaRobots.txt..................................................................................5
Figure2SampleofDecodedRequestatOneofTransactionatPayPal.................................................6
Figure3Blocksearchindexingwith'noindex'.......................................................................................6
Figure4RegisteringwiththeRegisteredEmailAccount–ProtectingtheEnumeration.......................8
Figure5InformationDisclosureviaSearchEngine–ReferrerFeature..................................................9
Figure6InformationDisclosureviaSearchEngine-SendMoneyFeature..........................................10
Figure7InformationDisclosureatPayPal-sendMoneyTextParameter.............................................10
Figure8InformationDisclosureatPayPal–payerViewParameter.....................................................11
Figure9InformationDisclosureatPayPal-emParameter.................................................................11
Figure10SampleofValidCustomerInvoice........................................................................................12
ListofTable
Table1SampleoftheCompleteRequest..............................................................................................7
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|5
I. ABSTRACT
Wecan’tdenyifoneofthebiggestdreamforeveryonethathassomanycontentsattheirsiteisto
beindexedattopsearchengineintheworld.Inreality,weshouldrealizethateventhesearchengine
couldhelpusto“promote”ourcontentstopublic,thesearchengineitselfcould“betrayed”thesite
ownertoleakagetheinformationifthosesiteownersdoesn’tsetuptheblockingrulesproperly.
Thiskindofmindsetwascomingoutwithagoodfactbytheresearchthathasbeenconductedby
Ateeq Khan. At November 2013, he has shown the interesting vulnerability (Critical Information
Disclosure)thatexistatMicrosoftYammerproductbyusingthemainfunctionofthesearchengine.
Withthe“leakage”oftokenthathasbeenindexed“accidentally”bysearchengine,thentheAttacker
atthattimecouldusethoseinformationtologintotherelatedaccount.
Aswecouldseefromthetwosideoffunctionfromsearchengine,inthissimplepaper,wealsowould
liketotalkaboutthesamevulnerability(thatAteeqKhanfoundon2013)atanotherbigcompany,
which is PayPal. The problem existswhen PayPal and Xoom (PayPal Acquisition) didn’t setup the
blocking rules properly to prevent the search engine to index the list of emails and few lists of
transactionpurposethatusedbytheirusersattheirapplication.Byusingthesimpledork(atGoogle
orother),thenwecouldeasilyenumeratethoseinformation.
II. INTRODUCTION
Initsimplementation,PayPalhasconfiguringtheusers’transactiontobesendviaGETMethodofthe
secureHTTPtransmission.Pleasekindlynote,thereisnothingwrongwiththemethod.Withsomany
customerthatdoingsomanytransactionaroundtheworld,thenthepossibilityofsearchengineto
indexthesiteisbecomehigherifthesitedoesn’tsetuptheblockingrulesproperly.
Commonly,theblockingrulescouldbesetupeasilybywritesome“disallow”rulesatrobots.txtfile.
Figure1CommonBlockingRules-viaRobots.txt
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|6
Asseenfromthesamplestructureabove,thatruleswillbeveryeffectiveforpreventingthesearch
enginetoindexthecontentinsidethosedirectories.ButwheneverythingwasprocessintheURLjust
likePayPaldo,thenitwillbecomeanotherpointofview.
Figure2SampleofDecodedRequestatOneofTransactionatPayPal
As we could see from the sample picture above, without the proper setup of the search engine
blocking,thentheAttackercouldtrytoenumeratethelistofinformationatviasearchengine.
Pleasekindlynote:commonly, forpreventingthesearchengineto indexthis typeof request, the
developershouldusethenoindexmetataginthepage.Googleatitsdocumentationhastellingthe
otherwaytopreventthesearchenginetoindexthiskindofmethod.
Figure3Blocksearchindexingwith'noindex'
AlsoHubSpot fromoneof theirarticlehas telling the twoeffectiveways topreventing thesearch
enginetoindexourcontentthatcouldbesensitiveornotuseful.
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|7
2.1. PayPal’sTransactionParameteratHTTPRequest
Whenuserwouldliketosendsomesomemoneytootheraccount,thennormallyPayPalwillsend
several requests to server with GET method such as: recipient, onboardData, sendMoney,
currencyCode,payment_type,sendMoneyText,orintent.
Forexample,hereisthelistofthecompleterequestthatsendbyauserwhentheywouldliketosend
amoney:
(GETMethod):https://www.paypal.com/signin/?country.x=US&locale.x=en-
US&returnUri=https://www.paypal.com/myaccount/transfer/send/external?recipient=(victim_e
mail_address)&amount=1000.00¤cyCode=USD&payment_type=Gift&onboardData={"inte
nt":"sendMoney","recipient":"(victim_email_address)","currency":"$","amount":"1000.00","redi
rect_url":"https://www.paypal.com/myaccount/transfer/send/external?recipient=(victim_email_
address)&amount=1000.00¤cyCode=USD&payment_type=Gift","flow":"p2p","country":"U
S","locale":"en-US","sendMoneyText":"Custommessage,forexampleissendingamoneyto
victim_email_address"}
Table1SampleoftheCompleteRequest
Asstatedearlier,withtheusedofallparameters,thenwecouldtrytoenumeratethetransactionthat
everbeenmadebyregistereduser.
2.2. Xoom’sIssueRelatedInformationDisclosure
ThisoneisalittledifferentwithPayPal.Atthetimewhenwedoaresearchwiththiskindoftricks,we
don’t get any information except the emai addressl. At the first time, we have thought if that
informationwillnotbeconsideredasvulnerabilityinthePayPalpointofview.Butwhenwefindout
ifXoomhasimplementingtheuniquemethodtopreventtheuserenumerationattheirportal,then
wedecidedtoreportthisissuetoPayPaltoo(andyes,theyacknowledgedthereportasavalidissue).
2.2.1. Xoom’sUserEnumerationPreventionConcept
WhenwetrytoregisterouraccountatXoomforthefirsttime,Xoomwillproceedtheregistration
normallyandsendtheverificationrequesttotherelatedusers.Buttheuniquethingshappenwhen
the user/attacker try to register the exist account at application, then Xoom still process the
registrationnormallyjustliketheprocessofregistrationwhentheuserdoesn’texistatthesystem.
At the other side, Xoom send thewarning email to the registered account thatwas used by the
Attackertoregisteragain.
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|8
For a simple explanation, in other words, registered or not, Xoom still process the registration
normallywithout showing theerror if the account is exist already.But at thebackend,Xoomhas
differentwaytodifferentiatebetweentheregisteredorunregisteraccount.
Figure4RegisteringwiththeRegisteredEmailAccount–ProtectingtheEnumeration
Sobylearningthisflow,thenwhenwecouldenumeratetheuserID,thenitwillbeaflaw.
2.2.2. Xoom’sReferrerParameter
Oneofthebiggestquestionthatcametoourmindishowwecouldenumeratethelistofusersat
Xoom.Finally,theanswercomewiththeshowofreferrerfeature.
Referrer isoneof the feature thatgenerallyusedbypublic company to increasing theusedof its
service.Inusualsituation,thisreferrerlinkalwaysprovidedwiththeinterestingpromotionthatcould
be used by the receiver. In the reality, Xoom also has this unique feature (found at:
https://www.xoom.com/xoom-refer-a-friend-program)thatcouldbeusedbytheirregistereduserto
getthe"$20AmazoneGiftcard"foreveryfirsttransferofnewuserthathasavalueof$400ormore
(transactionfeeexcluded).
Andjustlikethethingsthatwedescribedearlier,themissingblockingrulesprotectionatthisfeature
couldallowtheAttackertoenumeratethelistofregisteredusersatthesearchengine.
III. SUMMARYOFISSUE
As ithasbeendescribedbefore,thesecurityprobleminthisreport isrelatedwaytoenumerating
someofinformation(informationdisclosure)viasearchengine.TheproblemexistsbecausePayPal
didn’timplementtheproperblockingrulesyet.
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|9
IV. PROOFOFCONCEPT
Theproofofconceptrelatedthisoneisveryextremelyeasy.WejustneedasimpleGoogleDorkto
findoutthelistofsomeinformationthateverexistwhentheservicewasusedbyitsuser.
4.1. EnumeratingtheListofEmailAddressatXoom
Theproofofconceptrelatedthisoneisveryextremelyeasy.WejustneedasimpleGoogleDorkto
findoutthe listofregisteredusers (atXoom)thateverusedthisservice.Andherearethe listsof
GoogleDorkthatcouldbeusedtofindouttheregisteredusers:
• site:xoom.cominurl:'@gmail.com'
• site:xoom.cominurl:'@yahoo.com'
• site:xoom.cominurl:'@hotmail.com'
• site:xoom.cominurl:'@msn.com'
• site:xoom.cominurl:'e=''refer'
• site:xoom.cominurl:'tellapal.id'
Pleasekindlynote:
• [email protected],etctootherdomainthathasanemailservice.
• Also,thelistofinformationdisclosurecouldbedetectedbyotherfeaturetoo,suchassend-money
(notonlyatthereferrerfeature).
Figure5InformationDisclosureviaSearchEngine–ReferrerFeature
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|10
Figure6InformationDisclosureviaSearchEngine-SendMoneyFeature
4.2. EnumeratingtheListofSomeInformationatPayPal
Justlikethepreviousone,herearethelistsofGoogleDorkthatcouldbeusedtofindoutsomeof
information:
• site:paypal.cominurl:'payment_type='
• site:paypal.cominurl:intent
• site:paypal.cominurl:'sendMoneyText'
• site:paypal.cominurl:'recipient='
• site:paypal.cominurl:currencyCode=
• site:paypal.cominurl:onboardData=
• site:paypal.cominurl:sendMoney
• site:paypal.cominurl:item_name
• site:paypal.cominurl:counterparty
Figure7InformationDisclosureatPayPal-sendMoneyTextParameter
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|11
Figure8InformationDisclosureatPayPal–payerViewParameter
Figure9InformationDisclosureatPayPal-emParameter
Andinanothersituation,wecouldfindoutthevalidcustomerinvoicethataccidentallypostonpublic
area(internet):
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|12
Figure10SampleofValidCustomerInvoice
V. RECOMMENDATION
ThedetailexplanationhasbeenexplainedbyGoogletopreventingthisissuetobehappened.Asan
information,thisdetailcouldbefoundatthearticleof“Blocksearchindexingwith'noindex'”.
VI. ADDITIONALINFORMATION
Forcompletingtheexplanation,weuploadtheunlistedvideoatYoutubeforbothofscenario:
6.1. InformationDisclosureatPayPal:https://youtu.be/N4owd36BNJY
6.2. InformationDisclosureatXoom:https://youtu.be/1cwwcFeJge8
BugBounty-InformationDisclosureatPayPalandXoomviaSearchEngine|page|13
VII. LESSONLEARNED
7.1. FromthecaseofXoom:alwaystrytofindawaytotriggeringyourfindingintothevalidoneby
lookingitsprocedureorflowoftheapplication.Eveninsomecasethisoneisnotavalidsecurity
issue,thenitsworthtotry(especiallyifnopointwillbereducedeventheissueisn’tvalid).
7.2. Andyes,oneoftheveryusefullessontobelearnedispleasespareourtimetoreadanyresearch
thatconductbyanotherresearcher.Asaninformation,thisresearchwasinspiredbytheresearch
thatconductedbyAteeqKhanrelatedtheCriticalInformationDisclosurethatexistatMicrosoft
Yammerproduct.
Thedetailcouldbefoundat:https://www.vulnerability-lab.com/get_content.php?id=1003
VIII. ADDITIONALNOTE
Theinitialbountywassenton:July13th,2017(XoomDomain)andAugust25th,2017(PayPalDomain)
The final bountywas sent on: August 25th, 2017 (XoomDomain) andDecember 6th, 2017 (PayPal
Domain).