GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

pocket_2

 

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

 

Domain:
getpocket.com

“Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world’s leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows.” (From: https://getpocket.com/about)

 

 

Vulnerability Description:
Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.” (OWSAP)
Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

 

Vulnerability Details:

 

Vulnerable URL:
https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

 

Use a website created by me for the following tests. The website is “http://itinfotech.tumblr.com/“. Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.

 

<a href=”https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test”>getpocket csrf test</a> [1]

 

When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her “Pocket” without his/her notice. An attack happens.

 

Advertisements
This entry was posted in CSRF Vulnerability, Web Security, Website Testing and tagged , , , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

  1. black night says:

    http://it.people.com.cn/n/2014/0504/c1009-24969253.html

      今晨,继OpenSSL漏洞后,开源安全软件再曝安全漏洞。新加坡南洋理工大学研究人员Wang Jing发现,Oauth2.0授权接口的网站存“隐蔽重定向”漏洞,黑客可利用该漏洞给钓鱼网站“变装”,用知名大型网站链接引诱用户登录钓鱼网站,一旦用户访问钓鱼网站并成功登陆授权,黑客即可读取其在网站上存储的私密信息。据悉,腾讯QQ、新浪微博、Facebook、Google等国内外大量知名网站受影响,360网络攻防实验室已紧急公布了修复方案,企业和个人用户均可通过360安全卫士防范该漏洞攻击。

    Like

  2. john brown says:

    http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

    A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect” by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

    Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s