Wednesday 14 March 2018

Information Leakage Through Child Tab - Mozilla

Hi Internet,

This bug was marked as RESOLVED and WONTFIX by Mozilla team but it was a good finding and learning for me hope you enjoy the read.
PS: The below issue also work when you are in "Incognito Mode/Private Browsing"
Summary:
You just need to press SHIFT+CTRL+N to restore your session even if you have closed your child tab in Mozilla browser, I may not be able to explain well but here is what i got.

The application which have some services which opens in child tab (Using Auth) and once the user perform his/her activity, and logout from the session or close the child tab, still by pressing SHIFT+CTRL+N open's up the same child tab with information which was feed by the above user, without providing any user creds.

Example 1:
1. Login to blogger.com
2. Navigate to Layout
3. Edit any gadgets from it (Its opens up a child tab)
4. Close the child tab, Logout from Gmail
5. Press SHIFT+CTRL+N you will be able to see the above child tab

Impact and Assumption:
Information leakage, lets suppose a scenario where user feed his/her credit card details or such in child tab. I am not sure, by pressing SHIFT+CTRL+N something like this should happen or not or its working as intended.

Mozilla says:
We allow you to undo close tab in private browsing, so undo'ing closing a window seems straightforward as something we will want to continue doing. Certainly I don't think this is a security issue that needs to stay hidden. The website could defend against this type of thing by checking login state when a page loads.

But, I browsed to many famous services offered over the Internet and this perfectly works over there and application directly allows you to restore back with your session from where you left, Obviously we can't perform any dynamic activity but can view data.

Example 2:
This is one of the well know bank in India which allows users to do netbanking but opens the login portal in child tab,
I logged in as genuine user performed my activity and closed my child tab, hence forth just press SHIFT+CTRL+N and your session will be restored back.

Now, this bank uses only POST method so when I clicked SHIFT+CTRL+N it gave me error of HTTP Method, well I just went to network tab and send the response again in POST method and guess what it gave me 200 OK and response was perfectly shown from where I left.

Here is an example javascript which open Facebook in child tab.

Regards
Dhiraj
Share:

Monday 5 March 2018

Thankyou McDonald for free cookies

Summary:
Pwing McDonald's  in 3 step and getting access to 5000+ usernames and passwords of McDonald's users. Hope you like the read..
Img Src: https://www.creativebloq.com/logo-design/mcdonalds-logo-short-11135325

Abstract:

Well, finding this bug was not a pain it was simple, and if you are not aware www.mcdelivery.co.in is under bug bounty program.

Lets Get Started :
As usual i started with sub-domain enumeration where I got a  subdomain (email.mcdelivery.co.in) which was not hosting any services for customers. Moving further I ran dirsearch on same, and  got 200 OK @ (email.mcdelivery.co.in/dump.tar.gz) (Looks like some kind of backup for McDelivery).

FYI
Okay so, extracting the tar file made me concluded it's actual a backup of McDelivery which consists of many things such as their DB, Website Backup's and many other juicy information. (Still I feel there must me something more...)

Lets Do Some Old School Tricks :
Why not simply do keyword search in entire dump file using grep
Then come's the results, their were multiple files having match of keyword "password" but then there was an excel sheet as well which I couldn't find during my manual search (GUI based).
The excel file had ~ (tilde) symbol after extension, obviously askubuntu have an answer for this. Anyways, guess what the excel sheet had username, email ID and password's !!!
and the count goes on .....

Big deal huhh !

Quick Flash :
25th February 2018: Informed McDonald's
26th February 2018: McDonald's Acknowledged 
28th February 2018: Reminder sent to McDonald's
28th February 2018: McDonald's Escalated Internally
28th February 2018: Issue Resolved
Share: