Iframe injection and self xss on over 20,000 websites of alexarank UA / RU

I decided to walk on the Ukrainian top of alexarank, began to look for vulnerabilities at gismeteo.ua (20 place). There was a redirect to the Russian version (www.gismeteo.ru/soft/).

I paid attention to technical support. The tech support was at gismeteo.userecho.com and was downloaded to gismeteo in the iframe:


Then there was a form for creating a ticket.

I tried to download my site in iframe https://gismeteo.userecho.com/s/interframe.html?url=https://securityz.net, but it did not load. Then I realized that in addition to the url of the download site, you also need the variables lang, referer, xdm_e and others.

I went to the url http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=en&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1
And my site was loaded in a frame.


It turned out that the owner of the userecho.com widget uses the same API on all client sites for technical support, hence the conclusion that all its clients are vulnerable to iframe injection.

We find a list of top clients – http://userecho.com/clients/?lang=en – and we understand that many vulnerable customers are the most visited sites:

  • drugvokrug.ru (social network, more than 5 000 000 users),
  • fl.ru (the most popular freelance exchange in Russia)
  • easypay.ua (one of the most visited payment systems in Ukraine)
  • tankionline.com
  • ivi.ru
  • amiro.ru
  • okko.tv
  • insales.ru
  • a-lab.ru
  • scrapinghub.com
  • iridiummobile.net and many others.

Almost all sites host userecho widget on their subdomain, example is ask.drugvokrug.ru, but some place it as a subdomain on userecho kontur.userecho.com. Also userecho clients can be searched for by google / yandex dorks.

Attack vectors:

  • 1. Phishing – upload your site, inside of which the same site as the original, and it can not be distinguished from the original, the victim enters his data and they come to me! (login, password, credit card numbers, cvv2 – easypay.ua, etc.). Example: http://securityz.net/gismeteo.html?lang=en&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1 – I made a copy of the site gismeteo and if a person enters a username and password on gismeteo, they will come to me.
  • 2. The introduction of advertising on the site iframe and it can be issued for advertising a vulnerable site. Example: http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https: //www.gismeteo.ru&xdm_c=default4178&xdm_p=1
  • 3. Running malicious code on a vulnerable site. Of course, you can execute javascript in the iframe, but not in the context of the domain (alert on my site).

To distribute a malicious link, you must first shorten the link goo.gl/GIYRUR, then:

  1. Massly send to forums, email addresses.
  2. It is purposeful to attack a certain user or administrator with the help of this vulnerability.
    You could send a vulnerability message to every vulnerable site, but the vulnerability would be promptly fixed by userecho developers and I might not get anything from either the vulnerable sites or the developers of the widget.

Therefore, I decided to immediately report the find to the developers of the plug-in.

09.01.2017 at 11 PM: a bug report was sent to those support userecho.com.

10.01.2017 at 00:10: vulnerability fixed, vulnerable file interframe.html removed (comment from developers – the file interframe.html is no longer available (deleted) and all widgets work without it. Therefore everything works with the same API.).

10.01.2017 at 02:14: the developers paid a reward of $ 100. A comment:

You must understand that we are not such a big company. In addition, this is generally the first time when we decided to give someone a cash reward.
Also I found SELF XSS vulnerability in userecho support and it is not going to fix it, more than 20 thousand sites are vulnerable, here is the article and PoC.

I hardly persuaded the developers to eliminate the iframe injection:

We saw from the logs that you were playing with interframe.html and basically understood why and how it was used. Only was not clear how to use it with advantage.

Since now we understand the use cases and you pushed us to fix it, we are ready to transfer you 100USD.

To keep abreast of all my latest publications, subscribe to Twitter https://twitter.com/qiecew9w and telegram. I will be very happy.

Share This:

1 thought on “Iframe injection and self xss on over 20,000 websites of alexarank UA / RU”

Leave a Comment

Your email address will not be published. Required fields are marked *