CRITICAL VULNERABILITIES IN LIKES.COM
Fouad discovered that the Likes.com website is vulnerable to three security vulnerabilities:
CSRF – Cross-Site Request Forgery
Among all the three flaws, the most critical one, according to Fouad, is CSRF vulnerability, because exploiting this vulnerability can allow an attacker to force users to add malicious links to their posts and comments and if user click it, their accounts can be deleted in just a click.
Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
Convince your users to click on a HTML page they’ve constructed
Insert arbitrary HTML in a target website that your users visit
Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a URL link that contains malicious or unauthorized requests.
JUST ONE CLICK AND USERS’ ACCOUNTS DELETED
“It’s so easy, I tried it but in some testing accounts.I was able to generate my malicious url in all posts by image_id (Post) then my malicious url was in thousands of posts as a comment. So any user who click it, his/her account will be deleted immediately,”
Not just this, the CSRF vulnerability could be escalated by a cyber criminal to deface entire website by generating random POSTs (image_ids) and post malicious url to (DELETE USER ACCOUNTS) in order to delete a number of users account just in one click.
“Using same CSRF vulnerability, I can also force the user to post my malicious URL to his/her account, so that all his/her friends who will browse that link, their accounts will be deleted by just one click.”
LOGIN BRUTE-FORCE ATTACK
Fouad discovered an account password by systematically trying every possible combination of letters, numbers and symbols until and unless he discovered the correct combination. This clearly means that the login page of the Likes.com website doesn’t have any protection against password brute force attacks.
As a result, anyone can try multiple number of attempts in order to guess the correct password combination. The site must have implemented some type of account lockout after a defined number of incorrect password attempts, said Fouad in his blog post.
LOGIN BYPASS ATTACK
Fouad also found a security problem with login when anyone click on “unsubscribe” link in their email notifications. Once clicked, user is redirected to the account settings.
Now, when he tried to open this URL in different browsers and different machines, he was able to access the account normally, and that too without Login. This shows Likes accounts can bypassed your login.
As a responsible security researcher, Fouad also reported the critical flaws 10 days ago to the Likes team, but neither the company fix it, nor it replied him back. Fouad has also provided a video demonstration as a Proof of Concept. The security vulnerabilities are critical and should be fixed as soon as possible.
Source : THN