Application Security Weekly Review, Week 3 2019
Flaws in Web-Hosting Platform Bluehost, a Security Hole in Reservation System Amadeus, and Much More
Web hosting Bluehost multiple account takeover
A popular web-hosting platform Bluehost was found to contain multiple account takeover and information leak vulnerabilities. Independent researcher and bug-hunter Paulos Yibelo discovered four security vulnerabilities, the most dangerous of which is an information leak through CORS misconfigurations that could allow cybercriminals to steal personally identifiable information, such as name, location (city, street, state, country), phone number, zip code and other data; partial payment details (expiration date of credit card, last four digits of card, name on credit card, credit card type, and payment method).
In addition, using this flaw an attacker could steal tokens that can give access to a user’s hosted WordPress, Mojo, SiteLock and various OAuth-supported endpoints. Other flaws could allow to gain complete access to the Bluehost users accounts, carry out the Man-In-The-Middle attack or to execute commands as the client on bluehost.com. It’s worth noting the Bluehost is not the only platform containing the vulnerabilities – similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.
GoDaddy caught tracking customers websites
Amadeus airline reservation system security flaw
The web-based reservation system Amadeus, used by more than 40% of the world’s airlines, contains the security flaw which lets attackers to change the reservations using only a reservation number.
The issue was uncovered by bug-hunter Noam Rotem and, according to a researcher, by simply changing the RULE_SOURCE_1_ID it is possible to view any PNR (passenger name record) and access the customer name and associated flight details. That means an attacker can change passenger seat assignments, redirect frequent flyer points to another account, modify or view contact information or even change or cancel flights. Amadeus has been warned about the issue, and now is working on a fix.
MIT researches benefits from bug bounty programs
Many organizations may benefit more from directly hiring security researchers than running the bug bounty programs, according to new MIT research. Experts analyzed more than 60 HackerOne bounty programs, including those run for Facebook, Twitter, Coinbase, Square and other well-known companies, and came to the conclusion that contrary to common belief, organizations don’t get much benefit from a large amount of researchers, probing their apps and services. Instead, only few of white hats produce the biggest volume and quality of bug reports across multiple products, earning the biggest chunk of the prize fund.
What is interesting, even "elite" can’t make a decent wage by Western standards. According to research, the top seven participants in the Facebook program made just $34,255 per year from an average of 0.87 bugs per month, while participants in the programs run on the HackerOne made just $16,544 per year from 1.17 bugs per month. Although there are exceptions (for example, exploit broker Zerodium offers $2m for iOS zero-day exploits), it seems that bug bounty programs is just a little bonus on top of a salary to Western researchers than a main source of income.
Card-skimming attack on e-commerce websites
According to RiskIQ, this code integrates with thousands of websites, so when one of them compromised the sites of all of the customers that use it are also compromised, and that gives Magecart access to a wide range of victims at once.