Editor's note: This is the fourth article in a seven-part series by Chetan Conikee.
Outbidding
In my previous post we looked at a vendor partnership flaw that was exploited. Let us now look at an online auction event.
Online auctions offer buyers and sellers an enormous platform for trade. Just like local auctions, there are sellers and bidders and winners and losers. Winners are expected to pay for what they bid on at the conclusion of the auction.
At online auctions, you will be required to register before you can buy or sell an item(s). Registration is required to track items you bid on or sell, keep up with the bids, determine the winning bids and build a database on seller and bidder feedback.
Example: A normal workflow initiated by a consumer
- User creates an account — system verifies if userId is unique and creates an account.
- User logs in the account using the account credentials — active session on portal is established
- User view page displaying a item of interest along with all active bidders associated with the item
- User participates in an existing auction by placing bid — system calculates number of active bidders and add new bid to scheduled time
- User wins or loses a bid — receives confirmation to enter credit card information
- User is asked to enter credit card information — system validates credit card, debits amount and item is shipped
- User logs out — active session is deleted
One of the several ways to abuse this workflow is depicted below
- Hacker creates an account and logs in
- Hacker views page displaying item of interest
- Hacker enters into an auction by bidding for lowest price
- Hacker collects usernames of bidders displayed on page
- Hacker launches brute force attack on all usernames via login screen
- Hacker wins bid at lowest price
What are the conditions that led this flaw to be exploited?
- Bidder usernames were displayed in cleartext on item page — sensitive information disclosure
- Brute force led to account lockout — even legitimate users are not allowed to log in for a period of time
- Account lockout terminated any active session
- Session termination deletes current user data
Suggested fixes and checks to mitigate this flaw
- Apply CAPTCHA instead of rate limited account lockout
- Disable active session termination
- Do not display active bidders on item page — use redaction or pseudonyms
Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.
The next part will be released shortly after my coffee break.