Closed Bug 1783266 Opened 2 years ago Closed 2 years ago

External authentication prompt injection via unsafe remote file include at https://firefox-newtab-proxy.getpocket.com/docs

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: todayisnew, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, wsec-authentication, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

firefox-newtab-proxy-ui.png
72.58 KB, image/png
Details

Good day, I truly hope it treats you great on your side of the screen :)

I have found that your have a site which is vulnerable to a remote file include to an arbitrary host - in this case, I am able to load my own content from todayisnewpoc.surge.sh.

There is sanitization of the data being loaded from todayisnewpoc.surge.sh, which can prevent some common attack vectors/know payloads, but I am still able to inject a custom authentication prompt which loads when visiting the page.

This prompt is being served from an arbitrary location (authorization.site), which can be modified as needed to be as convincing as possible to any possible victim. Imagine yourdomain.authorization.site, for example. Depending on the browser being used, a message can be included along with the prompt to make it seem more trustworthy.

When a victim enters their information into the prompt, it is sent to the arbitrary location being used by the attacker (authorization.site) along with their IP address, and stored in plain text for the attacker to use when desired.

Additionally, if the victim closes the first prompt, an attacker can serve arbitrary text on the page to encourage them to authorize. If they do so by clicking on the Authorize button, then clicking on the subsequent Authorize button, the victim will again be shown my external authentication prompt from authorization.site

POC:

https://firefox-newtab-proxy.getpocket.com/docs?url=https://todayisnewpoc.surge.sh/auth2.yaml

How to fix: Restrict the ability to load external json/yaml files via the configUrl and url parameters, or implement an allowed-list for domains which can load via these parameters.

May you be well on your side of the screen :)

-Eric

Flags: sec-bounty?

Hello Eric,

Thank you for your report.

I was able to reproduce the issue and will look for the team responsible for this app.

I have marked one of the other reports as duplicate since it is reported as a subdomain of this host.

Thanks,
Frida

See Also: → 1783267
Status: UNCONFIRMED → NEW
Ever confirmed: true

The dev team no longer needed those endpoints, and they spun them down.

Status: NEW → RESOLVED
Type: task → defect
Closed: 2 years ago
Keywords: sec-high, wsec-authentication
Resolution: --- → FIXED

Adding a screenshot with, I believe, a basic auth prompt initiated from https://authorization.site which is in the PoC file https://todayisnewpoc.surge.sh/auth2.yaml

This vulnerability was present in fastapi which used a vulnerable version of swagger-ui which caused this CVE-2021-46708 vulnerability

Keywords: sec-highsec-low

Reducing the severity to low. If a malicious user was able to obtain credentials to get access to the API, they can only make calls to the public portion of our recommendation API. At most they would get recommended articles that our curators approved.

Flags: sec-bounty? → sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: