A Microsoft cirrigiu uma vulnerabilidade classificada como severa que podia ser aproveitada pelos hackers para eliminar qualquer projetos alojado no Microsoft Translator Hub.
O Microsoft Translator Hub “capacita empresas e comunidades a construir, treinar e implantar sistemas automáticos de tradução de idiomas personalizados”.
“POST request with no content and parameter in the URL (its kinda weird isn’t it?) the “projectid” parameter in the above request is the ID of the individual project in the database, which in this case is “12839“, by observing the above HTTP request, a simple delete project query could be something like:-” wrote the expert in a blog post.
“Wait a minute, if you take a look at the Request, first thing to notice is there is no CSRF protection. This is prone to CSRF attack.” continues the expert. “In simple words, CSRF vulnerability allows attacker to impersonate legit logged in user, performing actions on their behalf. Consider this:-
- Legit user is logged in.
- Attacker includes the URL in a page. (img tag, iframe, lots of possibilities here) “http://hub.microsofttranslator.com/Projects/RemoveProject?projectId=12839”
- Victim visits the page, above request will be sent from their browser.
- Requirement is that one should know the ProjectID number of logged in victim.
- As it has no CSRF projection like antiCSRF tokens it results in the removal of the project.
- Even if it has Anti-CSRF projection, here are ways to bypass CSRF Token protections.”
“The project whose projectID I used in the HTTP request got deleted. Technically this vulnerability is called Indirect Object Reference. now if I just loop through the values starting from 0 to 13000 (last project), I’m able to delete all projects from the database.” continues the expert. “The vulnerability could have been avoided using simple checks, either the project that the user requested is owned by the same user, associating the project owner with the project is another way, but its Microsoft so….”