Friday, January 3, 2014

My ad on your OLX favourites - CSRF style

First of all - Happy New Year to all my readers.

OLX is an internet company based in New York City and Buenos Aires, Argentina. The OLX website hosts free user-generated classified advertisements for urban communities around the world and provides discussion forums sorted by various topics. They're are present on more 90 countries.

Portuguese OLX domain - olx.pt, one of the most popular websites in the country, was vulnerable to a CSRF that allowed any user to add a ad on a visitor favourite section just by visiting a specially crafted webpage.
This attack could be used to gain more visibility on a special ad or even to spread scams, like...

When a visitor opened a page with this code:
<iframe src="http://figueiradafoz.olx.pt/favoritos/?op=park&id=441731811&in=1" height="0" width="0"></iframe>
It would add that ad to the favourites section of the user. Even if they aren't authenticated.


This issue was fixed by the local company responsible for OLX in Portugal in few days.
I didn't test similar issues on other OLX sites but I hope my alert helped them to spread the word around about CSRF.

Timeline
08 Nov 2013: Sent security advisory to OLX
08 Nov 2013: OLX replied that they are looking into it
15 Nov 2013: OLX reported that the problem has been fixed
03 Jan 2014: Full disclosure

No comments:

Post a Comment