It was a Friday of last May. A client pulled me from the air conditioner to meet him. His department took over the website’s company from another team. His company is service provider and the website is a portal that is serving over 1 million customers natonalwide. Through the portal, user can view their spend . And he needs the support from us to penetrate the security matters of the portal: finding the security weakness, showoff the data leakage if any and suggest the solution.
This is a great chance to our team. Have to learn first. I registered an account and looked thoroughly the portal to understand how it works, what users can do,… The portal is developed by external software company to display the introduction of all over 45 services. Logging in, users can view basic info and their monthly bills including details of transactions (time, quantity, parties,…). It seems they also can enroll new services but I kept it later.
When I clicked to view bill, the content is generated dynamically to PDF file. Hmm …. why dont I try to access this file unauthenticatedly? Opening a different browser, I pasted the link, same content was displayed on screen. Bingo. This was a flaw but not so serious. It is cool if I can find how it is generated. The filename is constructed by 2 parts: static number (file id) and randomized number at trailing. Between two parts is underscore, “_”
Trying to generate the file several times maybe I can find the rules. I noticed the trailing part, it increased and last four-number changed over time. So, I thought this number related to the timestamp when the content is generated. Which timestamp? Googling timestamp, I found this is millisecond timestamp. And using currentmillis.com I converted the timestamp. Like I guessed, it’s exactly the time I clicked the mouse to generate my bills.
What is the first eight-number? If the program is well-developed, I think it relate to user which I did not have it. Okay, let see how the software process underneath.(Because of the sensitive information I could not attach the screenshot in this post.)
By using tools to track the requests was sent to/ replied from their portal’s server, I found that these numbers connect to the user that it belong to. Still using the tools, I intercept the request sent by browser and changed the number before it went to the server. Wow, interestingly, the server got back with a pdf document and I opened it. You known the result rite? The data was generated belong to another user. At this point I think I found a serious security flaw: Any authenticated user can read the bill belong to another users without their permission. To take advantage, I wrote a small python code to replicate what I did and automated to download the bill with given file ID. I reported these works to our client to let them see how over 1 million users data go with high security risk over a year when using their services.
Moreover, I want to stress that the organizations should not rely ONLY on the hardware appliance or the technology they buy to protect their assets from security risks. This flaw is from software development process and even their application firewall can’t protect them from the exploitation. Some key take aways I want to note:
- Security should be important part of software development process.
- Security services should be treated seriously. It is not simply a certificate.