Most retros are vulnerable to CORS misconfiguration

Messages
841
Likes
203
#1
The majority of Habbo retros I've looked at are vulnerable to a simple cross domain hijacking vulnerability due to Flash cross domain policy misconfigurations.

What does that mean?
Essentially if your users play multiple hotels, the other hotel can hijack their SSO token from your hotel, view or submit forms on any of your pages (i.e. housekeeping / account settings) authenticated as them in the background by simply visiting their site.

1570204853821.png

How do you know if you're vulnerable?
If your crossdomain.xml file looks like the following:
XML:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
The fix?
At the very least, you should remove <allow-access-from domain="*" /> from your crossdomain.xml and replace it with config specific to your domain.

For example:
Lax but generally safe: <allow-access-from domain="*.habboon.pw" />
Strict: you can restrict it to a specific sub-domain, i.e. <allow-access-from domain=" [ To view this link you must register here. ] " />

This prevents other domains from reading your site via flash.

I won't be sharing the POC, don't ask.

More details on the topic can be found [ To view this link you must register here. ] .
 
Last edited:

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Messages
5,018
Likes
3,711
#2
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.

[ To view this link you must register here. ]
[ To view this link you must register here. ]

None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
 
Messages
841
Likes
203
#3
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.

[ To view this link you must register here. ]
[ To view this link you must register here. ]

None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
[ To view this link you must register here. ] was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.
 
Last edited:

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Messages
5,018
Likes
3,711
#4
[ To view this link you must register here. ] was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.
Ahh, that explains it. Cheers. :p
 

Etrion

Active Member
Messages
105
Likes
31
#5
Thanks for the information, tho I've always been using "<allow-access-from domain="*domain" /> "
 

EveServer

New Member
Messages
5
Likes
12
#6
Interesting. If one has no crossdomain.xml file, would it be considered vulnerable? If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?

If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
 
Messages
841
Likes
203
#8
If one has no crossdomain.xml file, would it be considered vulnerable?
Nope. If a site has no crossdomain.xml file, it will default to a sane deny by default. If you have one, it will use that as the CORS policy for Flash-based applications - this is different to regular CORS headers (which blocks JavaScript and such from accessing your site cross-origin).

If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?
Nope, it should only apply to the sub-domain which it is served from if configured correctly.

If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
Likely lack of knowledge in the area. I know this attack has been used in the past against a few large orgs (i.e. PayPal - was actually used to leak sensitive info such as account balance) some years back.

Explanation of how the policies work taken from Adobe docs:
1570306778108.png
 
Messages
841
Likes
203
#10
If they are dumb enough to not properly set up CORS, then they deserve it.
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
1570308797525.png
 

TesoMayn

Boredom, it vexes me.
Messages
1,328
Likes
1,230
#11
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
View attachment 9614
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
 
Messages
841
Likes
203
#12
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
Yeah, seems like most people just copy it from other sites because they don't really understand how it works and want their app to "just work".

Doesn't really help when the top voted/selected answer on SO threads is affected: see [ To view this link you must register here. ]
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Top