Renren permanent control of others by all accounts a method-vulnerability warning-the black bar safety net

2013-05-19T00:00:00
ID MYHACK58:62201338835
Type myhack58
Reporter 佚名
Modified 2013-05-19T00:00:00

Description

Through all the client click on the access personal home page, you can let the users sync log on to the PC the browser end

The login process is substantially as follows, parameters have been removed, interest Go directly to the capture see: the

1. http://gadget.talk.renren.com/redirects

2. http://passport.renren.com/transfer.do?transfer=&origURL=

3. http://www.renren.com/callback.do?t=&origURL=

4. Enter the personal home page

Vulnerability out in the second step, this step of the transfer is used for user login authentication parameters.

The test found that:

(1)The direct use of crawl to this link, you can directly log on transfer corresponding to the identity of renren; and

(2)serious problem is also that this link is not expired, has been effective;

(3)even if the transfer corresponding to the user for a password change, this link also can still login to this user for all accounts;

(4)while everyone client this sync log is based on HTTP.

In short, as long as the attacker convinces a user to synchronize the login, and then by sniffing to get to this vulnerability link, then the attacker all of the Account will permanently be under the attacker's control.

Vulnerability proof:

Their capture try it to know.

Repair solutions:

The user authentication process need to be considered fully, not only check the userid, just guess, can not do without an expiration date, preferably only once.