[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Pokemon.com has no respect for user's personal data



Hello world!

Under normal circumstances I wouldn't be going for a Full Disclosure but
for something a bit more discrete like some proper e-mails to the
webmaster. But the guys behind the UK Pokémon Video Game Championship
have managed to show their stupidity with the events that followed the
press coverage of certain incident in certain hotel by a certain person
who is not necessarily the winner and they deserve a bit of "love" in
exchange for that.

For me and for many of us the winner will still be RubeNCB92 no matter
what disciplinary actions you have taken against him. And although I
know that this action won't restore him his place on the championship we
hope that the reason this shitty organization has had to hide this
shitty incident by removing his proper title from Ruben is that there is
much more shit behind it that they don't want journalists to find of
which this is just a small piece.

So what's that we have here? Well I usually call this an oracle attack,
is a kind of attack where you use the answers given by a web page to
check whether a particular information is or not into a database. In
this case what we are checking is whether a set of e-mail addresses is
or not inside the pokemon.com user database.

Why is it a serious vulnerability? Well amongst other reasons because it
can be used by a spammer to know which of the addresses in his list are
valid and which may not be, thus reinforcing spam campaigns against
those. It can also be abused to obtain other background and personal
information of the e-mail owner in this case interest in Pokémon which
could be abused and worst of all, it can be used in phising attacks.

We are not anonymous, you can find us if you search a bit for us, and we
haven't done anything illegal since all the requests we have done to end
up with this were legitimate since the fault is a design flaw and not a
coding one. You could argue distributing the code below may be illegal
but this depends on how you use it, we are distributing it in the hopes
it helps people check if they are affected by this fault and won't be
responsible of any usage behind that.

The next line is a bash oneliner which will use curl and other standard
Unix tools to check whether the e-mail addresses written as input are or
not in pokemon.com's users database in case they are the e-mail address
is returned, in case they aren't we return Failure. I hope this helps
you know whether you are or not affected by the vulnerability.

while read email; do curl -s -o-
https://www.pokemon.com/uk/account/forgot-username -d
csrfmiddlewaretoken=c05b01dc738120000d338aac31de60b4 -d "email=$email"
-b csrftoken=c05b01dc738120000d338aac31de60b4 -e
https://www.pokemon.com/uk/account/forgot-username | fgrep "Unable to
find an account using the provided information." > /dev/null && echo
Failure || echo "$email"; done

With love,
klondike


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/