Most retros are vulnerable to CORS misconfiguration

BIOS

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
The majority of Habbo retros I've looked at are vulnerable to a simple cross domain hijacking vulnerability due to Flash cross domain policy misconfigurations.

What does that mean?
Essentially if your users play multiple hotels, the other hotel can hijack their SSO token from your hotel, view or submit forms on any of your pages (i.e. housekeeping / account settings) authenticated as them in the background by simply visiting their site.

You must be registered for see images attach


How do you know if you're vulnerable?
If your crossdomain.xml file looks like the following:
XML: 
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

The fix?
At the very least, you should remove <allow-access-from domain="*" /> from your crossdomain.xml and replace it with config specific to your domain.

For example:
Lax but generally safe: <allow-access-from domain="*.habboon.pw" />
Strict: you can restrict it to a specific sub-domain, i.e. <allow-access-from domain="
You must be registered for see links
" />

This prevents other domains from reading your site via flash.

I won't be sharing the POC, don't ask.

More details on the topic can be found
You must be registered for see links
.
 
Last edited:
Sledmore

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,199
3,934
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.

You must be registered for see links

You must be registered for see links


None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
 
BIOS

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Sledmore said:
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.

You must be registered for see links

You must be registered for see links


None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
Click to expand...
You must be registered for see links
was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.
 
Last edited:
Sledmore

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,199
3,934
BIOS said:
You must be registered for see links
was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.
Click to expand...

Ahh, that explains it. Cheers. :p
 
Etrion

Etrion

?
Dec 22, 2016
108
32
Thanks for the information, tho I've always been using "<allow-access-from domain="*domain" /> "
 
E

EveServer

New Member
Jun 15, 2019
6
30
Interesting. If one has no crossdomain.xml file, would it be considered vulnerable? If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?

If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
 
BIOS

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
EveServer said:
If one has no crossdomain.xml file, would it be considered vulnerable?
Click to expand...
Nope. If a site has no crossdomain.xml file, it will default to a sane deny by default. If you have one, it will use that as the CORS policy for Flash-based applications - this is different to regular CORS headers (which blocks JavaScript and such from accessing your site cross-origin).

EveServer said:
If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?
Click to expand...
Nope, it should only apply to the sub-domain which it is served from if configured correctly.

EveServer said:
If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
Click to expand...
Likely lack of knowledge in the area. I know this attack has been used in the past against a few large orgs (i.e. PayPal - was actually used to leak sensitive info such as account balance) some years back.

Explanation of how the policies work taken from Adobe docs:
You must be registered for see images attach
 
BIOS

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
TesoMayn said:
If they are dumb enough to not properly set up CORS, then they deserve it.
Click to expand...
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
You must be registered for see images attach
 
TesoMayn

TesoMayn

Boredom, it vexes me.
Oct 30, 2011
1,482
1,482
BIOS said:
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
You must be registered for see images attach
Click to expand...
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
 
BIOS

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
TesoMayn said:
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
Click to expand...
Yeah, seems like most people just copy it from other sites because they don't really understand how it works and want their app to "just work".

Doesn't really help when the top voted/selected answer on SO threads is affected: see
You must be registered for see links
 

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
☀️  Switch to Light Theme

Latest posts

Top