Likes.com, one of the emerging social networking site and popular image browsing platform, is found vulnerable to several critical vulnerabilities that could allow an attacker to completely delete users’ account in just one click.
Likes.com is a social networking website that helps you to connect with people you like and make new friends for free. Just like any other social place, users can always follow their favorite tag or people who catch their fancy. It is much easier to use and is designed for those who want to look at pictures different people upload.
An independent security researcher Mohamed M. Fouad from Egypt has found a series of critical security vulnerabilities in the Likes website that really pose danger to its users. The vulnerabilities he found not only have capability to add any post, comment to users’ account as well as delete users’ account, but the vulnerabilities can be escalated to deface entire website by posting malicious URLs and delete all users accounts.
CRITICAL VULNERABILITIES IN LIKES.COM
Fouad discovered that the Likes.com website is vulnerable to three security vulnerabilities:
CSRF - Cross-Site Request Forgery
Among all the three flaws, the most critical one, according to Fouad, is CSRF vulnerability, because exploiting this vulnerability can allow an attacker to force users to add malicious links to their posts and comments and if user click it, their accounts can be deleted in just a click.
Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
Convince your users to click on a HTML page they've constructed
Insert arbitrary HTML in a target website that your users visit
Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a URL link that contains malicious or unauthorized requests.
JUST ONE CLICK AND USERS' ACCOUNTS DELETED
“It's so easy, I tried it but in some testing accounts. I was able to generate my malicious url in all posts by image_id (Post) then my malicious url was in thousands of posts as a comment. So any user who click it, his/her account will be deleted immediately,” Fouad told The Hacker News.
Not just this, the CSRF vulnerability could be escalated by a cyber criminal to deface entire website by generating random POSTs (image_ids) and post malicious url to (DELETE USER ACCOUNTS) in order to delete a number of users account just in one click.
“Using same CSRF vulnerability, I can also force the user to post my malicious URL to his/her account, so that all his/her friends who will browse that link, their accounts will be deleted by just one click.”
LOGIN BRUTE-FORCE ATTACK
Fouad discovered an account password by systematically trying every possible combination of letters, numbers and symbols until and unless he discovered the correct combination. This clearly means that the login page of the Likes.com website doesn't have any protection against password brute force attacks.
As a result, anyone can try multiple number of attempts in order to guess the correct password combination. The site must have implemented some type of account lockout after a defined number of incorrect password attempts, said Fouad in his blog post.
LOGIN BYPASS ATTACK
Fouad also found a security problem with login when anyone click on "unsubscribe" link in their email notifications. Once clicked, user is redirected to the account settings.
Now, when he tried to open this URL in different browsers and different machines, he was able to access the account normally, and that too without Login. This shows Likes accounts can bypassed your login.
As a responsible security researcher, Fouad also reported the critical flaws 10 days ago to the Likes team, but neither the company fix it, nor it replied him back. Fouad has also provided a video demonstration as a Proof of Concept. The security vulnerabilities are critical and should be fixed as soon as possible.