Application Security Weekly Review, Week 3 2019
Flaws in Web-Hosting Platform Bluehost, a Security Hole in Reservation System Amadeus, and Much More
It’s Friday and it's time for the weekly roundup. In our article we will highlight the most interesting cyber headlines of this week, including vulnerabilities in web-hosting platform Bluehost, new Magecart skimming card attacks and a questionable GoDaddy's practice of injection JavaScript into customer websites. So, let’s start.
Web hosting Bluehost multiple account takeover
A popular web-hosting platform Bluehost was found to contain multiple account takeover and information leak vulnerabilities. Independent researcher and bug-hunter Paulos Yibelo discovered four security vulnerabilities, the most dangerous of which is an information leak through CORS misconfigurations that could allow cybercriminals to steal personally identifiable information, such as name, location (city, street, state, country), phone number, zip code and other data; partial payment details (expiration date of credit card, last four digits of card, name on credit card, credit card type, and payment method).
In addition, using this flaw an attacker could steal tokens that can give access to a user’s hosted WordPress, Mojo, SiteLock and various OAuth-supported endpoints. Other flaws could allow to gain complete access to the Bluehost users accounts, carry out the Man-In-The-Middle attack or to execute commands as the client on bluehost.com. It’s worth noting the Bluehost is not the only platform containing the vulnerabilities – similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.
GoDaddy caught tracking customers websites
Web hosting provider GoDaddy was caught at inserting JavaScript code into websites for the purposes of tracking, which could slow down performance or break sites altogether. The issue was uncovered by programmer Igor Kromin when the problem occurred with his own website's admin interface, hosted by GoDaddy. Upon a closer examination, Kromin discovered that unknown JavaScript file had been loaded on his site.
A snippet of JavaScript code is being added to sites in order to use a technology called Real User Metrics (RUM). As GoDaddy explains, RUM "[allows] us to identify internal bottlenecks and optimization opportunities by inserting a small snippet of javascript code into customer websites," that will measure and track the performance of website. At the same time, hosting provider admitted that the JavaScript code may impact website performance or render it inoperable.
Amadeus airline reservation system security flaw
The web-based reservation system Amadeus, used by more than 40% of the world’s airlines, contains the security flaw which lets attackers to change the reservations using only a reservation number.
The issue was uncovered by bug-hunter Noam Rotem and, according to a researcher, by simply changing the RULE_SOURCE_1_ID it is possible to view any PNR (passenger name record) and access the customer name and associated flight details. That means an attacker can change passenger seat assignments, redirect frequent flyer points to another account, modify or view contact information or even change or cancel flights. Amadeus has been warned about the issue, and now is working on a fix.
MIT researches benefits from bug bounty programs
Many organizations may benefit more from directly hiring security researchers than running the bug bounty programs, according to new MIT research. Experts analyzed more than 60 HackerOne bounty programs, including those run for Facebook, Twitter, Coinbase, Square and other well-known companies, and came to the conclusion that contrary to common belief, organizations don’t get much benefit from a large amount of researchers, probing their apps and services. Instead, only few of white hats produce the biggest volume and quality of bug reports across multiple products, earning the biggest chunk of the prize fund.
What is interesting, even "elite" can’t make a decent wage by Western standards. According to research, the top seven participants in the Facebook program made just $34,255 per year from an average of 0.87 bugs per month, while participants in the programs run on the HackerOne made just $16,544 per year from 1.17 bugs per month. Although there are exceptions (for example, exploit broker Zerodium offers $2m for iOS zero-day exploits), it seems that bug bounty programs is just a little bonus on top of a salary to Western researchers than a main source of income.
Card-skimming attack on e-commerce websites
Nearly 300 of e-commerce websites have been hit with a card-skimming attack carried out by the new subgroup of Magecart, labeled as "Magecart Group 12". It’s the latest in a series of attacks linked to Magecart, an umbrella term for a set of cybercriminal groups that use different methods to compromise websites and steal payment data. Usually, Magecart hackers compromise e-commerce sites and insert malicious JavaScript code into their checkout pages that quietly steals payment information of customers and sends it to the attacker’s remote server. But in this case, Magecart Group 12 hacked and injected their skimming code into a third-party JavaScript library used by the French advertising firm Adverline, whose services is used on the hundreds of European e-commerce websites to display ads.
According to RiskIQ, this code integrates with thousands of websites, so when one of them compromised the sites of all of the customers that use it are also compromised, and that gives Magecart access to a wide range of victims at once.