what you don't know can hurt you

foilChat Sign Up Email PIN Confirmation Bypass

foilChat Sign Up Email PIN Confirmation Bypass
Posted May 29, 2018
Authored by Harry Sintonen

The foilChat backend fails to prevent brute force attempts of the PIN code. An attacker can attempt all 10000 different PIN codes until the correct one is found, and then use the correct PIN to complete the registration.

tags | exploit, bypass
MD5 | ed66fc5f06d2663c3de5842073089e5c

foilChat Sign Up Email PIN Confirmation Bypass

Change Mirror Download
foilChat sign up email PIN confirmation bypass
==============================================
https://sintonen.fi/advisories/foilchat-signup-email-pin-confirmation-bypass.txt


Overview
--------

foilChat (https://www.foilchat.com/) allows anyone to register with any email
address due to a vulnerability.


Description
-----------

foilChat user names equal to user's email address. At sign up the user is required
to provide an email address. The email address is sent a 4 digit PIN code that the
user is required to enter to the application to complete the registration.

foilChat backend fails to prevent brute force attempts of the PIN code. The attacker
can attempt all 10000 different PIN codes until the correct one is found, and then
use the correct PIN to complete the registration.


Impact
------

The attacker can sign up to foilChat with any email address, bypassing the security
model of the application. Notably the user name (email address) is the only way to
confirm identity within the application.


Details
-------

The discovered vulnerabilities, described in more detail below, enable the attack
described here in brief.

1. Initiate the sign up procedure in the application with a spoofed email address

2. Brute force the correct PIN code

for p in `seq -w 0 9999`; do
echo $p; if curl -s -d "email=victim@example.invalid&pin=$p" \
https://api.foilserver.com/v2.4.3/users/check_credentials |
grep -q true; then break; fi
done

3. Once correct PIN is found, complete the sign up with the PIN code


The attacker is now registered with the spoofed email address (user name):

https://sintonen.fi/advisories/foilchat-signup-pin-bypass.png


Vulnerabilities
---------------

1. CWE-307: Improper Restriction of Excessive Authentication Attempts

The foilChat backend fails to restrict the number of 'users/check_credentials' API
calls for a given email address. The attacker can try different PIN codes until the
correct PIN code is found, and thus bypass the email confirmation.

This issue could be fixed in several ways. One way would be to restrict the number of
'users/check_credentials' API calls that can be made. Even better, rather than having
a separate 'users/check_credentials' API call at all, the correct PIN should be
required for the actual 'users/signup' API call instead.


Vulnerable versions
-------------------

foilChat confirmed the issue fixed 2018-05-24.


Credits
-------

The vulnerability was discovered by Harry Sintonen.


Timeline
--------

2018.05.10 discovered the vulnerability
2018.05.10 reported the vulnerability via CERT-FI that forwarded it to foilChat
security contact
2018.05.24 foilChat reported the vulnerability fixed
2018.05.24 public disclosure of the advisory


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close