Cross-Site Request Forgery (CSRF) Allows Hacking NASA Users Accounts with a Simple Link.
Author: Amine SAJID
Introduction
Hi hackers, in this writeup ill share with you how I discovered a Cross-Site Request Forgery (CSRF) vulnerability in a NASA subdomain. This vulnerability allowed me to modify personal information of authenticated users without their consent by a GET requests to authenticated users, leading to unauthorized data manipulation and account compromises.
Bug Type: Cross-Site Request Forgery (CSRF)
Impact: Unauthorized Data Modification, Account Manipulation
Severity: Medium
What is CSRF? (Explained Simply)
CSRF, or Cross-Site Request Forgery, is a type of vulnerability that tricks a user into performing actions they didn’t intend to do on a website where they’re already logged in. Here’s a simple example to understand it:
Imagine you’re logged into your bank’s website. In another tab, you visit a malicious website created by an attacker. Without you realizing it, this malicious site sends a request to your bank’s website to transfer money to the attacker’s account. If the bank’s website doesn’t have proper protections (like CSRF tokens), the request will be executed because your browser automatically includes your session cookies.
In the case of this NASA, the CSRF vulnerability allowed an attacker to create a malicious link. If a logged-in NASA user clicked the link, their profile information (like email or username) would be changed without their consent.
If you’re still confused, don’t worry! you’ll understand through the real-world scenario I discovered while investigating this bug.
The Hunt Begins: Hacking NASA users
First i started by searching for sub-subdomains using google dorks:
site:*.*.nasa.gov
After coming across some subdomains, I found an interesting one that allowed registration. I set up an account and immediately went to edit my information. It turned out to be a dumb mistake by the developers to allow users to update their information using a simple GET request without appropriate validation. As you can see, users could easily edit their information with a GET request like this:https://sub.sub.nasa.gov/account/profile.php?username=test&[email protected]
If I send this link to another user, all they need to do is click it while logged into their account. Once they do, their email address will be changed to mine. After that, I can use the “forgot password” feature to reset their password and gain access to their account.
At first, I thought of an Insecure Direct Object Reference (IDOR) vulnerability, so I considered fuzzing hidden parameters to see if there was an “id” parameter that would allow me to change other users’ data. However, I remembered that this is just a Vulnerability Disclosure Program (VDP), so I simply confirmed the CSRF proof of concept (POC) and reported it 🙂
Impact
An attacker can send a link containing a GET request to authenticated users. If a user clicks on the link, their personal information will be changed, leading to unauthorized access.
Recommended Fix
CSRF Token Validation:
Ensure that all sensitive actions, especially those that modify user data, are protected by CSRF tokens that are unique per session and action. This will prevent unauthorized requests from being executed.
Conclusion
This CSRF vulnerability demonstrates why proper input validation is crucial for user profile modifications. Although the attack requires only a simple click, the consequences can lead to hacking NASA user accounts, unauthorized changes to sensitive data, account compromises, and even full account takeovers.
After responsibly reporting this bug to NASA, they sent me this letter of appreciation: 🚀
Final Thoughts:
As ethical hackers, we find joy in discovering bugs and tackling new challenges. However, hunting on programs that don’t pay, like VDPs, won’t keep us motivated or push us to give our best in finding vulnerabilities. We hope that big programs introduce competitive rewards to keep us motivated and continue contributing to a safer digital world.
