Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape

2017-09-26T13:17:48
ID H1:271960
Type hackerone
Reporter europa
Modified 2018-05-01T15:37:55

Description

In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However, by utilizing a manipulated Avatar URI value, the researcher was able to demonstrate how an attacker could exfiltrate another user's email, userid, and tokens to an external server owned by the attacker. The researcher was further able to demonstrate other types of attacks possible via AngularJS Template Injection, but the most interesting one to us was the data exfiltration POC.

We resolved this issue by updating our version of AngularJS, and by applying the ng-non-bindable directive to the vulnerable fields. This directive prevents AngularJS from compiling or binding the contents of the current DOM element, making it effective at preventing XSS and Code Injection attacks. Sometimes you don't need a fully-fledged XSS to leak useful data!

An AngularJS template injection was possible in the search field giving me access to the whole AngularJS scope for the page.

By traversing the DOM via childHead / nextSibling objects it was possible to grab informations from the active scope (ie: email, userid, and tokens); subsequently manipulating the victim's avatar URL to a resource on an adversary-controlled server allowed the attacker to exfiltrate session details without strictly relying on Javascript injection, delivering the goodies through simple GET requests.

A sandbox escape was found later on rendering the unorthodox approach unnecessary, but extremely fun nonetheless—also given the fact that Rockstar Games decided scoped this flaw as a Reflected XSS before that happened.