Three Information Disclosure Vulnerability

A few weeks ago, I got an email from Three asking me to fill out a survey for them, rating my satisfaction with their services. They offered “the chance to win an iPad”, so I decided I’d fill in the survey to provide some feedback (I’m generally a fairly satisfied customer).

The link opened in my default web browser (Firefox), which happened to be linked up to Burp – after filling and submitting the survey, I was able to view the requests and responses that Firefox had made during the process. After looking at these requests, I noticed something quite worrying.

The site (https://www.threemicrosites.co.uk/survey/, now closed) was making an AJAX request to an API (http://www.threemicrosites.co.uk/api/getuser/p/44xxxxxxxxxx/, where xxxxxxxxxx is the 3 phone number). The request was made over cleartext HTTP, passing my mobile phone number in the URL. The response included my 3 account number, my full name, my email address and some other account identifier. I confirmed that this was the case for other numbers by entering a friends phone number (with their permission) – sure enough, their name and contact details were presented to me.  Information from the API was presented in the following form, as JSON:

{"success":true,"id":"813xxx","user_id":"9555xxxxxx","phone":"447598xxxxxx","email":"xxxxxx@yyyyy.zzz","title":"Mr","name":"Joseph","surname":"Redfern","email_vs_sms":"xxx","timestamp":"2015-05-xx xx:xx:xx"}

Clearly, this information disclosure isn’t ideal. The ability to find out the account holder and contact details behind ANY 3 phone number could come in handy for social engineering attacks, stalking, spamming etc. It would also be possible to scrape the API and build up a database of 3 customers by brute-forcing the API using H3G Number Prefixes, which can be found here – such a database could be very valuable to Three’s competitors,  marketing companies etc. I’d consider it a fairly severe breach of privacy.

The bizarre thing is that the survey didn’t appear to use any of the information returned by the API – the thank you page had no reference of my name, email address or account number.

I reported the issue to Three customer support, and requested that I be notified once their security team had acknowledged the issue. Customer Support said that they’d pass the request on, but that they couldn’t promise anything – sadly, they didn’t bother to get back to me (and I didn’t even win their competition!). The survey has now been taken down, along with the offending API. I can’t be sure if this was in response to these issues, or if the closure was planned – but either way, this no longer seems to be a problem.

Video Demo:

eBay Reflected XSS

Earlier in the year, I discovered an XSS vulnerability in the Selling Manager section of the eBay.

The problem was caused by improper escaping of the URL’s GET parameters, which were reflected back on on the page. When choosing the “drafts” section of the session manager, I noticed that several parameters appeared in the URL:

eBay XSS URL parameters

 

Naturally (after confirming that eBay allowed such testing), I tried modifying these parameters – to my surprise, the page happily showed my new, update values (although they weren’t saved server-wide). I could modify my feedback score, message count, inventory counts etc to contain invalid characters, such as letters. Unfortunately, eBay was escaping the strings to remove anything that would allow cross-site scripting – or so I thought.

After some more playing, I accidentally included a URL parameter twice. Again, to my surprise, the page showed both values, but separated by commas – however, this time the second value was not being escaped. By setting the duplicate parameters value to be a snippet of javascript, I could run malicious code in the context of sm.ebay.co.uk.

Combined with a phishing attack, an attacker could easily exploit this vulnerability to steal money from a user, gain access to their account and/or cause all kinds of trouble.

I reported this vulnerability to the “eBay inc Bug Bounty” on the 30th of May, and after some prodding, received an email back telling me that the eBay Inc bug bounty didn’t cover the eBay website. The problem then got forwarded on other eBay Bug Bounty . Fast forward to mid-July, I was asked for an example URL that would trigger the XSS (which I had included in my original report, but must have somehow got lost). I have not heard anything from eBay since, but the problem now seems to have been fixed.