Saturday, November 14, 2015

Binary.com critical vulnerability to remotely steal users' money

Eight days ago I tweeted about hitting binary.com with a killing vulnerability and since it's fixed and publicly disclosed on HackerOne I decided to write about it here on my blog.
In the Thursday bug hunting night like other researchers I decided to have a look at the new published programs on HackerOne so I started to look for some bugs in algolia and binary.com which were the two newest published programs.
I found some bugs in both websites , but the most interesting one was a bug in cashier on binary.com.
That bug allowed me to login to any user's cashier account by just knowing the user ID.
Technical details about the bug can be found here on HackerOne , it's publicly disclosed :
https://hackerone.com/reports/98247

Your feedback is highly appreciated.

Friday, September 18, 2015

XSS vulnerability in Google image search


Seven days ago I reported to Google Security a XSS vulnerability I discovered in Google image search.
It's not very hard to find , but it's tricky to exploit!

I was looking for an image to set as my profile picture on HackerOne , I found the image I was looking for , opened it in a new tab and something in the url attracted me.

The url was " http://www.google.com.eg/imgres?imgurl=https://lh3.googleusercontent.com/-jb45vwjUS6Q/Um0zjoyU8oI/AAAAAAAAACw/qKwGgi6q07s/w426-h425/Skipper-LIKE-A-BOSS-XD-fans-of-pom-29858033-795-634.png&imgrefurl=https://plus.google.com/103620070950422848649&h=425&w=426&tbnid=ForZveNKPzwSQM:&docid=OEafHRc2DBa9eM&itg=1&ei=9ID8VZufMYqwUfSBhKgL&tbm=isch "

the value of the parameter "imgurl" is set to the href attribute of an <a> tag with the text "View image".

So , I tried changing that parameter to "javascript:alert(1)" and boom , the href attribute changed to "javascript:alert(1)" , How could it be that easy ? well it's not that easy.

When you click on "View image" , the href attribute value changes to " http://www.google.com.eg/url?sa=i&source=imgres&cd=&ved=0CAYQjBwwAGoVChMIjsP-48OByAIVxNMUCh3pSQ98&url=javascript:alert(1)&psig=AFQjCNGcADmmDJe6-BWjcDAJ1pV84euDZw&ust=1442698210302078 " .

I looked into the code and found that google had an onmousedown event that changes the href attribute to google redirection page. Sad , huh?
I tried a lot of things to bypass this , but still no luck!

I finally used my keyboard , pressed the [tab] key till I get the "View Image" button focused , press enter and the XSS was triggered.

Timeline:
12/9/2015 Vulnerability discovered and reported
15/9/2015 Google confirmed the issue
16/9/2015 Fix and rewad