Lucene search
+L

foilChat Sign Up Email PIN Confirmation Bypass

🗓️ 29 May 2018 00:00:00Reported by Harry SintonenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

foilChat email confirmation vulnerabilit

Code
`foilChat sign up email PIN confirmation bypass  
==============================================  
https://sintonen.fi/advisories/foilchat-signup-email-pin-confirmation-bypass.txt  
  
  
Overview  
--------  
  
foilChat (https://www.foilchat.com/) allows anyone to register with any email  
address due to a vulnerability.  
  
  
Description  
-----------  
  
foilChat user names equal to user's email address. At sign up the user is required  
to provide an email address. The email address is sent a 4 digit PIN code that the  
user is required to enter to the application to complete the registration.  
  
foilChat backend fails to prevent brute force attempts of the PIN code. The attacker  
can attempt all 10000 different PIN codes until the correct one is found, and then  
use the correct PIN to complete the registration.  
  
  
Impact  
------  
  
The attacker can sign up to foilChat with any email address, bypassing the security  
model of the application. Notably the user name (email address) is the only way to  
confirm identity within the application.  
  
  
Details  
-------  
  
The discovered vulnerabilities, described in more detail below, enable the attack  
described here in brief.  
  
1. Initiate the sign up procedure in the application with a spoofed email address  
  
2. Brute force the correct PIN code  
  
for p in `seq -w 0 9999`; do  
echo $p; if curl -s -d "[email protected]&pin=$p" \  
https://api.foilserver.com/v2.4.3/users/check_credentials |  
grep -q true; then break; fi  
done  
  
3. Once correct PIN is found, complete the sign up with the PIN code  
  
  
The attacker is now registered with the spoofed email address (user name):  
  
https://sintonen.fi/advisories/foilchat-signup-pin-bypass.png  
  
  
Vulnerabilities  
---------------  
  
1. CWE-307: Improper Restriction of Excessive Authentication Attempts  
  
The foilChat backend fails to restrict the number of 'users/check_credentials' API  
calls for a given email address. The attacker can try different PIN codes until the  
correct PIN code is found, and thus bypass the email confirmation.  
  
This issue could be fixed in several ways. One way would be to restrict the number of  
'users/check_credentials' API calls that can be made. Even better, rather than having  
a separate 'users/check_credentials' API call at all, the correct PIN should be  
required for the actual 'users/signup' API call instead.  
  
  
Vulnerable versions  
-------------------  
  
foilChat confirmed the issue fixed 2018-05-24.  
  
  
Credits  
-------  
  
The vulnerability was discovered by Harry Sintonen.  
  
  
Timeline  
--------  
  
2018.05.10 discovered the vulnerability  
2018.05.10 reported the vulnerability via CERT-FI that forwarded it to foilChat  
security contact  
2018.05.24 foilChat reported the vulnerability fixed  
2018.05.24 public disclosure of the advisory  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation