Detailed Technical Analysis of "How I Made $13,000 From Hacking Points.com"
Overview:
Sam Curry’s write-up describes a series of security vulnerabilities he discovered and exploited in the Points.com platform, eventually leading to a cumulative reward of $13,000. The write-up covers various types of attacks, including IDOR (Insecure Direct Object References), CSRF (Cross-Site Request Forgery), and a critical XSS (Cross-Site Scripting) bug. These vulnerabilities underscore the importance of secure coding practices, especially in financial platforms handling sensitive user data.
Key Technical Details:
1. Insecure Direct Object References (IDOR):
Description: IDOR vulnerabilities arise when an application exposes internal implementation objects such as files, directories, database records, or keys, allowing attackers to bypass authorization and access restricted data.
Exploit: Sam discovered multiple endpoints that allowed unauthorized access to other user’s data by simply modifying object identifiers (IDs). For instance: - Points Account Endpoint: By sequentially incrementing or decrementing the account ID parameter in the API calls, Sam was able to view and even manipulate points balance and exchange rates for arbitrary accounts.
Mitigation: To prevent IDOR vulnerabilities: - Access Control Checks: Implement robust access control checking mechanisms to ensure that users can only access resources they are authorized to view or modify. - Use Indirect References: When possible, replace direct references with indirect references, such as a mapping of unique, unpredictable identifiers.
2. Cross-Site Request Forgery (CSRF):
Description: CSRF vulnerabilities allow attackers to perform unauthorized actions on behalf of authenticated users by tricking them into submitting a malicious request.
Exploit: Sam identified CSRF vulnerabilities in the Points.com platform where critical actions lacked proper CSRF tokens. By crafting a malicious webpage that submitted these forged requests, he could perform actions like linking a different financial account without user consent.
Mitigation:
To prevent CSRF:
- CSRF Tokens: Ensure that all state-changing operations require a valid CSRF token.
- SameSite Cookies: Use the SameSite
attribute for cookies to prevent them from being sent along with cross-site requests.
3. Cross-Site Scripting (XSS):
Description: XSS vulnerabilities enable attackers to inject malicious scripts into webpages, which can then execute in the context of another user’s session.
Exploit: The most critical bug discovered involved a stored XSS vulnerability in the handling of email messages. By injecting a malicious script through the email composition feature, the script would execute whenever the email was opened by the recipient.
Mitigation: To prevent XSS attacks: - Output Encoding: Properly encode all data before displaying it in a web page. - Content Security Policy (CSP): Implement a strong CSP to mitigate the impact of XSS by restricting the sources from which scripts can be loaded. - Input Validation: Validate and sanitize user input to ensure it doesn’t contain malicious scripts.
Reporting & Real-World Impact:
The write-up describes the detailed process of responsibly disclosing these vulnerabilities to the Points.com security team. The impacts ranged from unauthorized access and manipulation of financial data to potential full account takeovers via XSS. Given Points.com’s role in managing loyalty programs and financial transactions, these vulnerabilities could have had severe repercussions if exploited maliciously.
Bounty and Recognition: - The Points.com security team responded promptly and acknowledged the severity of the issues. - Sam Curry received a cumulative reward of $13,000 for his findings, reflecting the high-risk nature and potential business impact of the vulnerabilities.
Key Takeaways:
- Critical IDOR and CSRF Awareness: Developers must be diligent in implementing access control checks and CSRF protections, especially on endpoints handling sensitive operations or financial transactions.
- Importance of XSS Prevention: Regularly audit code for potential XSS vulnerabilities, especially where user-generated content is concerned.
- Holistic Security Measures: Security layers including proper input validation, output encoding, CSP implementation, and thorough testing of endpoints for unauthorized access all contribute to a robust security posture.
- Responsible Disclosure: The process highlights the importance of a structured vulnerability disclosure program in fixing issues promptly and rewarding ethical hackers.
Conclusion:
Sam Curry’s discovery and responsible disclosure of critical vulnerabilities in Points.com showcase the potential risks associated with insecure coding practices. This case study emphasizes the necessity of thorough security auditing, especially for platforms dealing with financial data, and the value of bug bounty programs in uncovering and addressing security weaknesses.
For full details, check the original blog post here.