RCE In AddThis

This vulnerability has been fixed as of July 20, 2016 and is shared with consent from the vendor.
If you wish to share the information provided in the write up, provide credit for the original author or contact [email protected] for more info. Timeline of the report

July 20, 2016 8:59 AM: Vulnerability is reported to the vendor through [email protected]
July 20, 2016 11:56 AM: Initial reply from the vendor regarding confirmation and process
July 20, 2016 12:00 AM: Vendor patches the vulnerability.

AddThis launched a responsible disclosure program quite a while ago. I had never paid attention to it until yesterday when I was browsing some articles regarding public exploits and vulnerabilities. One of the article was written by the team at Detectify. This article dealt with possibility of having a remote code execution if a Werkzeug debugger was publicly available.

I started to look into what is known as the Hackers Google, Shodan. During the research of this exploit I noticed that AddThis also had this installed.

During the inital research, Shodan showed that AddThis might be suspectible to this vulnerability. However there was IP address with the port provided. I started to look more into this and was soon able to confirm that this IP blcock was assigned to AddThis server. Now I wanted to find the domain associated as well. This was not a hard one to find.

The domain and port associated was addth.is:5000. addth.is was a domain used by AddThis to redirect its user to addthis.com if they had clicked any link from sites like Twitter.

This vulnerability was previously reported through the contact page from AddThis however I soon found that the contact page was not working correctly. So I decided to email from [email protected] which worked. Within 2 hours of the initial report, the vulnerability was patched and currently the page shows 503 service unavailable.

addthis bugbounty

blog comments powered by Disqus

More you might like

This domain is my domain - G Suite A record vulnerability

In part two of G Suite vulnerability discussion, I am writing about a simple but quite serious vulnerability in yet another part of G Suite Application. In general, G Suite is a major application of Google with multiple features. Its primary security relies on the concept of Domain Ownership Verification.

Keep reading

I got emails - G Suite Vulnerability

After recent finding about Uber and SendGrid bug, I decided to check other third party applications that were also used for similar cases. During the investigation, some third party applications were found to be vulnerable including G Suite.

Keep reading

hackeorne togetherwehitharder

Bypassing Ebay XSS Protection to launch XSS by Nirmal Dahal

This is a small proof of concept regarding “Reflective Cross-Site Scripting [ R-XSS ]” which I had found on Ebay. I am not an active participant in bug bounty programs, but one day I had finished all my office works so I was surfing on Facebook and received a message from my brother, Samir, asking for advice regarding some musical instruments. The message contained a eBay link. Once on eBay, I logged into the site to view details, and suddenly noticed “Help & Contact” menu, I followed that menu and went to “Customer Service” page where I saw a search field, I decided to check for “Cross-Site Scripting [ XSS ]” vulnerability and unexpectedly found POST type R-XSS.

Testing For XSS

As all security researchers do, I also have certain pathways to find vulnerabilities. I always use ’>Test12345<“ as it contains number, letter and syntax. This allows me to see how a website handles user inputs. Some questions like “is the user input sanitized? how sensitive is user input?” can be answered from this idea.

Keep reading

ebay xss bugbounty submission

How I snooped into your private Slack messages [Slack Bug bounty worth $2,500]

When researching about MX records of slack.com, I noticed that they used a 3rd party email service. In that service, however slack.com was already claimed. After a little more research, I found that all the sub-domains of slack.com like teamname.slack.com also had MX set to the same service. These team domains were not claimed, so the emails for these domains could also be intercepted. What is the major issue with this? Could you send a message to your team from an email? These initial questions lead to a deeper research which discovered a critical vulnerability on Slack that would let me snoop into private slack messages.

Keep reading

hackerone slack bugbounty

Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]

After recent finding about one of the Uber’s subdomain takeover was publicly disclosed, I looked into Uber to find similar bugs. One of my colleagues Abhibandu Kafle, pointed out that em.uber.com also had CNAME pointing to SendGrid and could be vulnerable to similar kind of issue.

I had limited experience using SendGrid, so I focussed on finding other issues instead. Sometimes later, I decided to give it a shot anyway because looking at it through different angles can sometimes open various doors and I was running out of endpoints to look into. So I signed up on SendGrid, a transactional and marketing email service used by uber, to see what was possible.

Keep reading

bugbounty hackerone uber hacker bugcrowd

PornHub: Email Confirmation Bypass

Reporter : Vaxo Dai (@___0x00)

After signing up client needs to verify his email address to further use but the confirmation can be bypassed and can put any email address to confirm the user account

Keep reading

informative pornhub bugbounty

Title: Multiple Stored XSS and HTML Injection in Edueto.

Found by: Skelor

blog hackerone bugbounty pwned