Most retros are vulnerable to CORS misconfiguration

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
The majority of Habbo retros I've looked at are vulnerable to a simple cross domain hijacking vulnerability due to Flash cross domain policy misconfigurations.

What does that mean?
Essentially if your users play multiple hotels, the other hotel can hijack their SSO token from your hotel, view or submit forms on any of your pages (i.e. housekeeping / account settings) authenticated as them in the background by simply visiting their site.

You must be registered for see images attach


How do you know if you're vulnerable?
If your crossdomain.xml file looks like the following:
XML:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

The fix?
At the very least, you should remove <allow-access-from domain="*" /> from your crossdomain.xml and replace it with config specific to your domain.

For example:
Lax but generally safe: <allow-access-from domain="*.habboon.pw" />
Strict: you can restrict it to a specific sub-domain, i.e. <allow-access-from domain=" " />

This prevents other domains from reading your site via flash.

I won't be sharing the POC, don't ask.

More details on the topic can be found .
 
Last edited:

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,194
3,901
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.




None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Thanks Geo.

Just a question - on Boon which crossdomain file allows all? (I think the CMS does have CORS enabled to all though, via headers) but I'm not sure which XML file does allow from all.




None of the above have been changed yet. I can't remember if assets are on their own server of the top of my head though.
was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.
 
Last edited:

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,194
3,901
was the one which previously had the wildcard (no longer affected), I spoke to Ash and got it updated prior to posting the thread.

Ahh, that explains it. Cheers. :p
 

Etrion

?
Dec 22, 2016
108
32
Thanks for the information, tho I've always been using "<allow-access-from domain="*domain" /> "
 

EveServer

New Member
Jun 15, 2019
6
30
Interesting. If one has no crossdomain.xml file, would it be considered vulnerable? If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?

If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
If one has no crossdomain.xml file, would it be considered vulnerable?
Nope. If a site has no crossdomain.xml file, it will default to a sane deny by default. If you have one, it will use that as the CORS policy for Flash-based applications - this is different to regular CORS headers (which blocks JavaScript and such from accessing your site cross-origin).

If the crossdomain is on a different domain (such as a subdomain) does that affect the root domain?
Nope, it should only apply to the sub-domain which it is served from if configured correctly.

If this is truly the case and sites are in the red, it's pretty surprising nobody has taken advantage of this before.
Likely lack of knowledge in the area. I know this attack has been used in the past against a few large orgs (i.e. PayPal - was actually used to leak sensitive info such as account balance) some years back.

Explanation of how the policies work taken from Adobe docs:
You must be registered for see images attach
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
If they are dumb enough to not properly set up CORS, then they deserve it.
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
You must be registered for see images attach
 

TesoMayn

Boredom, it vexes me.
Oct 30, 2011
1,482
1,482
Sure but many large orgs messed it up the same way too (Facebook, PayPal, Badoo, so on). I think Flash's bad design takes some of the blame.

Someone actually did some research on how many sites are affected from Alexa top 50k, here's a snippet taken from the paper:
You must be registered for see images attach
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Yea, seems like it's something that people overlook, or they just use * to make it easier for them later lol

Stupid mistakes though
Yeah, seems like most people just copy it from other sites because they don't really understand how it works and want their app to "just work".

Doesn't really help when the top voted/selected answer on SO threads is affected: see
 

Users who are viewing this thread

Top