Exploiting misconfigured CORS on popular BTC site

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 17 hours ago · vulnerability
quality 6/10 · good
0 net
AI Summary

A misconfigured CORS policy on a Bitcoin site's third-party contact form API allowed arbitrary origins with credentials enabled, enabling attackers to extract sensitive user data (name, email, phone, account ID) via a malicious webpage using XMLHttpRequest.

Tags
cors misconfiguration cross-origin-request-forgery acah credential-exposure web-api bitcoin third-party-integration client-side-exploitation
Entities
Arbaz Hussain HackerOne api.thirdparty.com
Exploiting Misconfigured CORS on popular BTC Site | by Arbaz Hussain - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Exploiting Misconfigured CORS on popular BTC Site Severity: Medium Arbaz Hussain Follow ~2 min read · July 19, 2017 (Updated: June 9, 2018) · Free: Yes Complexity : Easy Weakness : Allowing ACAH On one of the popular BTC site , I was facing some issue with account so i used the'r support form to inform them . Thing's i Provided By form : Email . Phone Number. Name. Message. Clicked on Submit and Noticed that Form is being sent to third party site . https://api.thirdparty.com/api/contact/widget/281d02/ in form of POST Data . POST /api/contact/widget /281d02/ HTTP/1.1 Host: api.thirdparty.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Cookie: REDACTED Content-Type: application/x-www-form-urlencoded Content-Length: 0 {"firstName":"adsgasgsag","lastName":null,"company":null,"email":"[email protected]","phone":"9876543210","accountId":"38517","message":"xxx","Tags":[]} After Sending form i changed the request Method to GET , Added Origin: evil.com in Request Header GET /api/contact/widget/281d02/ HTTP/1.1 Origin: evil.com Response : Access-Control-Allow-Origin: evil.com Access-Control-Allow-Credentials: true {"contactUid":"025381","firstName":"adsgasgsag","lastName":null,"company":null,"email":" [email protected] ","phone":"9123091647","additionalDetails":{},"accountId":38517,"location":null,"Tags":[]} Surprised to see Access-Control-Allow-Credentials: true

Name:

Email :

Phone :

ACCID :

poc As Soon as victim(user who used the'r support form at anytime or any previous date) visit's malicious page . His previous form data get's extracted . #cors #hackerone #hacks #bugs #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories