Tuesday, July 28, 2009

Rapidshare | Login Credential Leakage Vulnerability

==================================
Rapidshare Login Credential Leakage Vulnerability
==================================

Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure

Advisory URL:
http://yehg.net/lab/pr0js/advisories/rapidshare.com_login_credential_leak_overhttp
Date published: 2009-07-26

Vendor: Rapidshare (Free File Hosting Provider)
URL: http://www.rapidshare.com, http://rapidshare.de
Reported: Yes ([email protected])

Attacker:
1. Trojans or malwares that have sniffing capability
2. Malicious user who is running HTTP sniffer

Where: User's computer / User's networks(LAN,WAN,Proxy,ISP,...etc)


Overview
==========
Upon understanding secure login, Rapidshare protects user credentials from
HTTP Traffic sniffing with secure SSL page https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi
where users are redirected to when they go to the login page.
Although it is their intention to protect, there have been a way to make their users'
credential leak since their launch of service.
This weakness makes their use of SSL somewhat useless.

###########################################################################

Not Vulnerable Scenario
=======================
A user goes to rapidshare.com. Click "Premium login". He's redirected
to a SSL page https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi.
Then he fills up his login info and he downloads the url
http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar.
His login info is passed through networks as
encrypted content because of using HTTPS protocol.

Thus, he is not vulnerable.


Vulnerable Scenario
===================
A user has not logged in yet. He wants to download a url:
http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar.
He choose "premium". Then the login form appears.
He fills up his login info and he downloads the url
http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar.
As he is not forced to redirect to https url, his login infomation is
passed through networks as plain text content because of
using sniffable HTTP protocol.

Thus, his login information is leaked to attackers and he is vulnerable.


Solution:
=========
As soon as the user click "Premium" button, he should be redirected to
https page along with what he wants to download.
For this scenario, this will be
https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi?url=/files/139189109/Floyd-Cramer-Hello-Blues.rar
After successful login, he will be provided "the ready-to-download"
page with download options or file download prompt box depending
on his preference.

Additionally, Rapidshare web developers should also
validate and filter url parameter so that attackers can't take
advantage again.

###########################################################################

Other Security Suggestions we have made to Rapidshare:

- Iframe injectable (Now: Fixed)
- Security Lock Bruteforcing (Not/Never fix)