Authentication Bypass

Inspect Element leads to Stripe Account Lockout Authentication Bypass

A common thing I see happening with many popular applications is that a developer will disable an HTML element through the “class” attribute. It usually looks something like this:

This works pretty well in some situations, but in other situations it can be manipulated to perform actions that really shouldn’t be done by an unauthenticated user. That’s exactly what happened in a bug I submitted to Stripe a few weeks ago.

When you are logged into your Stripe account, you will be timed out after a certain amount of inactivity. Once this you reach this timeout, you aren’t able to make any changes on the account or view other pages until you re-authenticate by entering your password. Herein lies the problem with using a “disabled” class tag – an attacker can simply manipulate the page through inspect element to allow them to delete the disable class tag and view other pages, allowing them to send requests.

In this video below, you’ll see how I’m locked out of a Stripe account because of inactivity, but by navigating to the “invite user” section of the timeout page through inspect element, I am able to invite myself as an administrator on the account that is timed out, without authenticating first.

This, of course, requires a person to first be logged in to their Stripe account and leave their computer out in the open… but using this method you can render the entire lockout process completely useless on a Stripe.com account. It’s interesting nonetheless that the folks at Stripe made sure that a malicious user couldn’t change the web hooks… but inviting an administrator to the account is completely allowed.

Stripe followed up and clarified by saying that simply dismissing the entire modal isn’t enough to bypass the authentication check, it is instead checked at the backend, but that check was accidentally removed in this situation which allowed me to invite another administrator.

Stripe security was very responsive in resolving this issue and it was fixed shortly after I reported it. I asked permission before publishing this article. Bounty: $500.

I have some more bounty writeups that are a bit more technical than this one coming soon, including a writeup on a CVE I discovered, so check back later for more updates. Additionally, you can follow me on Twitter to stay up to date with my bugs and what I’m doing, if you wish.

Other Bugs

Bypassing Apple’s iOS 10 Restrictions Settings – Twice

By default, Apple has a feature that allows all of their iOS devices to be assigned restrictions, so that employees and mostly children cannot access naughty websites and other types of less-desirable content. You can enable these settings by visiting Settings > General > Restrictions on your iPhone or iPad.

Around the beginning of every year I try to break Apple’s restrictions settings for websites. It’s a pretty nerdy thing to do and its not really classified as a “vulnerability” – but it’s a fun challenge and leads to some pretty interesting bugs, so I wanted to talk about a few of them here:

When I test the restriction settings, I turn restrictions on, and then I change the website settings to allow Safari, but only the default specific websites (see screenshot below).

The first time I found out how to bypass the restrictions, I did it on accident. I noticed that there were certain pages I had open previously in Safari that, when restrictions were turned on, I was still able to reload even though the domains were not on the list of approved websites. I realized that all these pages I had open had one thing in common: they were all displaying PDF’s. So now, by simply appending .pdf at the end of the Safari URL, it was possible to visit any website. An example is below:

Restricted URL: www.jonbottarini.com (left image)

Allowed URL: www.jonbottarini.com/anything.pdf (right image)

That one was pretty interesting. I reported it to Apple through their bug tracker and it was marked as a duplicate  – looks like someone else had found it before me. I tried again to see if it was possible through another method, and after a few hours I discovered another way:

(The following is my assumptions as to how the website restrictions work behind the scenes) When Apple checks a URL, they check the structure of the URL to see if it matches the list of whitelisted domains. What doesn’t happen is an additional check to ensure that the URL actually ends… or if it contains subdomains that match a whitelisted domain. This may be hard to explain so I made a photo to demonstrate:

See what’s happening here? Only the URL up to “.com” is checked against the whitelist. The restrictions settings do not check to see if a URL contains subdomains… so I’m able to trick the filter to allowing a domain such as “www.apple.com123.com” to be let through. The actual domain name in this case is com123.com – which is definitely not on my approved list of domains.

Restricted URL: www.com123.com (left image)

Allowed URL (but shouldn’t be!): www.apple.com.com123.com (right image)

I also reported this to Apple about 7 months ago and it still isn’t fixed. I asked them for permission to share this article.

This is just an interesting bug that slipped through the cracks, I assume they will have a fix out eventually for the bugs. Still haven’t made it in the Security HoF for Apple yet, but it’s definitely a goal of mine for the year.

I have other bugs and vulnerabilities that are cooler and more intense than this one coming soon, so check back later and I’ll share them with you. Additionally, you can follow me on Twitter to stay up to date with my bugs and what I’m doing, if you wish.