[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Oct 2014 00:25:56 +0200
Document Title:
===============
Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1303
Release Date:
=============
2014-10-13
Vulnerability Laboratory ID (VL-ID):
====================================
1303
Common Vulnerability Scoring System:
====================================
3.6
Product & Service Introduction:
===============================
Find jobs using Indeed, the most comprehensive search engine for jobs. In a
single search, Indeed offers free access to millions of jobs from thousands of
company websites and job boards. From search to apply, Indeed’s Job Search app
helps you through the entire process of finding a new job. Since 2004, Indeed
has given job seekers free access to millions of jobs from thousands of company
websites and job boards. As the leading pay-for-performance recruitment
advertising network, Indeed drives millions of targeted applicants to jobs in
every field and is the most cost-effective source of candidates for thousands
of companies. We take our security very seriously and welcome any responsible
disclosure of potential gaps in our systems.
(Copy of the Homepage: https://itunes.apple.com/us/app/job-search/id309735670 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities
in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
Vulnerability Disclosure Timeline:
==================================
2014-10-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Indeed.com (Bug Bounty)
Product: Job Search - Mobile Application API 2.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
1.1
A persistent input validation web vulnerability has been discovered in the
official Indeed.com `Job Search` v2.5 mobile web-application (api).
The persistent vulnerability allows an attacker to inject own script codes on
the application-side of the vulnerable online-service module.
The vulnerability is located in the main job search input field of `Was
Stichwort, Jobtitel oder Unternehmen` and `Wo Ort, Bundesland oder
Postleitzahl`.
A local low privileged user account is able to inject script codes by usage of
the regular search `Jobs finden` button. The injection request runs through
the mobile api and is not parsed or encoded. The attacker injects his code to
the input field and can execute the code in the results page through the mobile
api.
The first execution occurs on the client-side of the application.
After the first search request, the application remembers the strings and saved
the information (application-side). The already injected client-side request
with
the malicious code changes to the application-side attack because of the stored
db context in the user profile. During the test we used js, html tags and php
code
to exploit the issue and verify. The input executes frames, images and script
code in the results page on the header were the vulnerable `stichwort` and
`ort`
values are located. The input of the search and also the input of the stored
information can be reviewed in the backend whichs needs to be verified by an
higher
privileged indeed account.
The security risk of the vulnerabilities are estimated as medium with a cvss
(common vulnerability scoring system) count of 3.9. Exploitation of the
security issue
requires low user inter action & a registered low privileged mobile web
application user account. Successful exploitation of the security vulnerability
results in
session hijacking (user/manager/admin), persistent phishing, persistent
external redirects or persistent manipulation of affected or connected module
context.
Vulnerable Application(s):
[+] Indeed.com - Job Search v2.5 iOS Mobile
Application (API)
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Was Stichwort, Jobtitel oder Unternehmen
[+] Wo Ort, Bundesland oder Postleitzahl
Affected Module(s):
[+] Job Search Results
[+] History - Vorherige Job suchen
1.2
A client-side cross site scripting vulnerability has been discovered in the
official Indeed.com `Job Search` v2.5 mobile web-application (api).
The vulnerability allows remote attackers to hijack website customer, moderator
or admin sessions informaton by client-side cross site scripting requests.
The vulnerability is located in the `Empfänger` input of the `Job Suche > Wähle
Job Angebot` module. Local low privileged user accounts are able to inject
script codes to the empfänger input field of the iOS application. The result is
a client-side script code execution in the context of the main job result
next to the page bottom. The attack vector is non persistent and the method to
inject the malicious code is POST. During the test we used js, html tags
and php code to exploit the issue and verify. The execution of the injected
code occurs directly after the request through the api at the bottom of the job
article page next to the vulnerable `Empfänger` input.
The security risk of the vulnerability is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.6. Exploitation of the
security
issue requires low user inter action and no privileged mobile web application
user account. Successful exploitation of the security vulnerability results in
session hijacking (user/manager/admin), non-persistent phishing, non-persistent
external redirects or client-side manipulation of affected or connected module
context.
Vulnerable Application(s):
[+] Indeed.com - Job Search v2.5 iOS Mobile
Application (API)
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Job Suche > Wähle Job Angebot
Vulnerable Input(s):
[+] Empfänger
Affected Module(s):
[+] Job Suche > Job Angebot (Bottom > Empfänger)
Proof of Concept (PoC):
=======================
1.1
The persistent input validation web vulnerability can be exploited by remote
attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Test Account:
Username: bkm@xxxxxxxxxxxxxxxxx
Password: keymaster148
Manual steps to reproduce the vulnerability ...
1. Install the indeed job search v2.5 application for apple iOS
(https://itunes.apple.com/us/app/job-search/id309735670)
2. Open the service and register an account
3. Login to the account
4. Open the main job search module
5. Inject your own script code payload to the vulnerable two input fields
Note: Both input fields run directly through the api of the mobile application
6. You get redirected to the results page were the execution takes place on top
of the webpag context
7. Client-side reproduce successful!
8. Now we go back to the regular profile in the main app index search
Note: The mobile app allows to save the already requested context of an
exisiting search (history search)
9. The `Vorherige Job suchen` allows to request the saved context and the
client-side issue is now an application-side vulnerability
10. Successful reproduce of the vulnerability!
1.2
The non-persistent cross site scripting vulnerability can be exploited by
remote attackers without privileged application user account and with medium or
high user interaction. For security demonstration or to reproduce the
vulnerability follow the provided information and steps below to continue.
1. Install the indeed job search v2.5 application for apple iOS
(https://itunes.apple.com/us/app/job-search/id309735670)
2. Open the service and register an account
3. Login to the account
4. Open the main job search module and search for any existing job name
5. Click the exisiting job article and scroll down to the page bottom
Note: The application uses the `Empfänger` to notify users and the seeker
6. Inject to the `Empfänger` input field your own payload and save by usage of
send
7. The code execution occurs directly next to the vulnerable input field
Note: The context through the mobile api gets wrong validated which results in
the client-side execution of code
8. Successful reproduce of the client-side vulnerability!
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
../9.png
../10.png
../11.png
../12.png
../13.png
../14.png
../15.png
../16.png
Solution - Fix & Patch:
=======================
1.1
The first issue can be patched by a secure parse and encode of the results page
were the vulnerable values execution occurs.
Filter and restrict the input of the search through the mobile ios api to
prevent further persistent and non persistent attacks.
1.2
To parse the second vulnerability it is required the encode the Empfänger input
field which is present in every job article. The input needs to be parse the
value
to ensure attackers are not able to execute client-side attacks against
customers to compromise (hijack) session information.
maybe it is wise to implement in the mobile api and app a new exception for
invalid requests.
Security Risk:
==============
1.1
The security risk of the persistent and non-persistent input validation web
vulnerability in the result page is estimated as medium.
1.2
The security risk of the non-persistent cross site scripting web vulnerability
in the `empfänger` value is estimated as medium(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade
with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: dev.vulnerability-db.com - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/