Tuesday, June 4, 2013

SSRF/XSPA Bug in https://www.coinbase.com

This was one of the bugs which i had reported to Coinbase.com on May 1 2013 as apart of their bug bounty program. Although I started quite late in hunting I was lucky enough to find one interesting vulnerability in their "Merchant_settings" portal. 

The vulnerability is an SSRF/XSPA which allows an attacker to use the application as a proxy to scan for other services on remote servers on the internet. So in layman terms this vulnerability can be abused to port scan other servers on the internet. 

Here is the POC that I had submitted to coinbase. I used "scanme.nmap.org" which is known to have ports 22 and 80 opened.
In their "merchant_settings" they had a field wherein we can enter a URL for receiving instant payment notifications. And the field was not validated on the server end for any back-end response sent by the remote servers before displaying, this functionality allowed to do things like banner grabbing, port scanning, identify web-application frameworks etc.

Here is an example of an open port (22) on "scanme.nmap.org" which fetched me the open-ssh version.

Here is what I received on entering a closed port (2243)

This functionality could have been abused in many ways one of them would be automating the attack and making multiple request to remote servers on  well known ports. The Coinbase secuity team has already fixed this vulnerability but i was quite disappointed when i received a bounty which was lesser than the minimum bounty they had promised on their responsible disclosure page i.e a payout of 5BTC.
The security team responded saying "We can't be sure of how this vulnerability could affect our coinbase users, and we issue bounties for only those vulnerabilities which affect our userbase". Any ways I can't say I wasn't disappointed but yes they should have delivered what they had promised on their responsible disclosure page.

No comments :

Post a Comment