Update index.html
witchdocsec
GitHub
parent
e1556fd1f5
commit
c518613872
|
|
@ -1,6 +1,5 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<html lang="en"><head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<title>The Manganelo Hack (Uncovering a Security Disaster) - Malectrica Blog</title>
|
||||
|
|
@ -34,22 +33,51 @@
|
|||
<div class="container">
|
||||
<article class="subsection">
|
||||
<h3>Initial Investigation</h3>
|
||||
<p>This started when the researcher Tonabrix sent a link to a manga website, he asked us to confirm it authenticated us to his account when clicked. Indeed it did, this was concerning because the only 2 parameters that were used for said authentication process were a base64 encoded username and userID. While userIDs are not public and must be enumerated this is trivial due to a total lack of rate limiting, despite the high number of registered accounts (over 2 million). Our testing revealed it was possible for any account to be compromised knowing only its username in a maximum of around 8 hours when the script is run on a single machine, and 4 when run by the both of us. However in practice the required time could be drastically shortened simply by knowing the rough time-frame in which the target registered their account. We were able to identify a total of 15 domains of theirs on which this attack worked. This is because they have a singular subdomain which takes a username and password and issues a redirect to the desired domain authenticating implicitly via the parameters mentioned prior. This allows us to see and modify the users bookmarks.</p>
|
||||
<p>This started when the researcher Tonabrix sent a link to a manga website, he asked us to confirm it authenticated us to his account when clicked. Indeed it did.
|
||||
<br>
|
||||
This was concerning because the only 2 parameters that were used for said authentication process were a base64 encoded username and userID.
|
||||
<br>
|
||||
While userIDs are not public and must be enumerated this is trivial due to a total lack of rate limiting,
|
||||
<br>
|
||||
despite the high number of registered accounts (over 2 million). Our testing revealed it was possible for any account to be compromised knowing only its username in a maximum of around 8 hours when the script is run on a single machine
|
||||
<br>
|
||||
and 4 when run by the both of us.
|
||||
<br>
|
||||
However in practice the required time could be drastically shortened simply by knowing the rough time-frame in which the target registered their account.
|
||||
<br>
|
||||
We were able to identify a total of 15 domains of theirs on which this attack worked.
|
||||
<br>
|
||||
This is because they have a singular subdomain which takes a username and password and issues a redirect to the desired domain authenticating implicitly via the parameters mentioned prior (username and userID). This allows us to see and modify the users bookmarks via a vulnerability known as IDOR (insecure direct object reference).</p>
|
||||
</article>
|
||||
<article class="subsection">
|
||||
<h3>Further Findings</h3>
|
||||
<p>We decided after this to shift our focus to the shared authentication subdomain in search of alternative and more efficient ATO methods. Soon we found them:</p>
|
||||
<p>CSRF to change the email address, or password (without need for the previous one), or both (why not).</p>
|
||||
<p>Weak password policy (maximum of 20 chars alphanumeric) combined with captchas being header matched and bypassable simply by sending a known captcha answer with the matching headers, results in trivial account bruteforce.</p>
|
||||
<p>The password reset form does not send out emails, instead simply knowing the email and username will grant access to the dialogue to issue a new password (without need for the previous one), these can also be enumerated as the same captca bypass is present in all instances where a captcha is employed (we also found several captcha bypasses for different functionalities via direct navigation due to the heavy reliance on redirection with parameters).</p>
|
||||
<p>We decided after this to shift our focus to the shared authentication subdomain in search of alternative and more efficient attack vectors. Soon we found them:
|
||||
<br>
|
||||
-CSRF to change the email address, or password (without need for the previous one), or both.
|
||||
<br>
|
||||
captchas are tied to headers and bypassable simply by sending a known captcha answer with the matching headers
|
||||
<br>
|
||||
-The password reset form does not issue emails, instead simply knowing the email address and username enables a password change,these can also be enumerated as the same captca bypass is present in all instances where a captcha is employed
|
||||
<br>
|
||||
-Weak password policy (maximum of 20 chars alphanumeric) combined with the captcha bypass, results in trivial: account bruteforce, user and email enumeration, and passwordspraying.
|
||||
<br>
|
||||
(we also found several captcha bypasses for different functionalities via direct navigation due to the heavy reliance on redirection with parameters).
|
||||
</p>
|
||||
</article>
|
||||
<article class="subsection">
|
||||
<h3>Attempt At Resolution</h3>
|
||||
<p>We tried to report these issues to them a while ago and sent several follow up emails (to no reply) when looking back over the website it occurred to us that some of the content is shall we say unsavory and morally reprehensible (without getting into too much detail we do not mean simply because it is smut). The site is popular enough we suspect the majority of users are well intentioned and oblivious, and reading the legitimate (or perhaps ultimately harmless fetish) material. However due to the access to, and control over bookmarks, this presents a huge extortion risk via things like planted and screenshotted bookmarks.</p>
|
||||
<p>We tried to report these issues to them a while ago and sent several follow up emails (to no reply).
|
||||
<br>
|
||||
When looking back over the website it occurred to us that some of the content is shall we say unsavory and morally reprehensible (without getting into too much detail we don't mean simply because its smut).
|
||||
<br>
|
||||
The site is popular enough we suspect the majority of users are well intentioned and oblivious, and reading the legitimate (or perhaps ultimately harmless fetish) material.
|
||||
<br>
|
||||
However due to the access to, and control over bookmarks, this presents a huge extortion risk via things like planted and screenshotted bookmarks.
|
||||
</p>
|
||||
</article>
|
||||
<article class="subsection">
|
||||
<h3>Our Conclusion And Advice</h3>
|
||||
<p>In conclusion manganelo host harmful material, their websites are riddled with security holes and crumble when you touch them (neither of these facts seem to concern them, we have sent 3 emails to the website. including our intentions to go public should they continue to ignore us. our lack of need for monetary reward, and simple desire for the issues to be acknowledged and a commitment made to addressing them). We were able to find 4 separate methods for account takeover, and 2 captcha bypasses, giving us the ability to ultimately compromise any of the over 2 million accounts registered with them. This took us a single evening. It is our advice that any legitimate users of the following domains:</p>
|
||||
<p>In conclusion manganelo host harmful material, their websites are riddled with security holes and crumble when you touch them (neither of these facts seem to concern them, we have sent 4 emails to the website. including our intentions to go public should they continue to ignore us. our lack of need for monetary reward, and simple desire for the issues to be acknowledged and a commitment made to addressing them). We were able to find several separate methods for account takeover, and 2 captcha bypasses, giving us the ability to ultimately compromise any of the over 2 million accounts registered with them. This took us a single evening. It is our advice that any legitimate users of the following domains:</p>
|
||||
<p>- manganato.com</p>
|
||||
<p>- chapmanganato.com</p>
|
||||
<p>- mangakakalot.to</p>
|
||||
|
|
@ -69,8 +97,9 @@
|
|||
|
||||
<footer class="footer">
|
||||
<div class="container">
|
||||
<p>© 2024 Malectrica | All rights reserved</p>
|
||||
<p>© 2024 Malectrica | All rights reserved</p>
|
||||
</div>
|
||||
</footer>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
</body></html>
|
||||
|
|
|
|||
Loading…
Reference in New Issue