BentBox.co Security Concerns
Please note that as of this writing, the majority of the problems discussed below have been addressed by the BentBox.co team. I will point out that they were fairly responsive and thankful for the issues that I presented them.
However there are still some of these problems that exist on their site.
On or around June 25th I discovered several security issues with the website BentBox.co. This website provides a platform for photographers and other artists to sell their work. I reached out to a well known security researcher whose name I wont mention until I get permission.
Following that individuals guidance I contacted the folks at BentBox.co where I provided them with the details of my findings. Over the course of the next few weeks we emailed a few times.
Below are the details of my findings.
Cookies are used to store session information. The cookies that are set contain 3 pieces of information:
- Adult Content filter setting
- User Id
It is possible to sign in with a valid user name and password to get a valid PHPSessionId and then edit the cookies stored locally to insert a different User Id in order to access another user’s private account information.
You can easily obtain any user’s user id value by browsing to one of their boxes and looking at the page source
It is trivially simple to gain access to any user’s private information in this manner. In fact the entire website could be easily compromised with a simple script used to harvest user id’s.
What information is accessible?
From my initial research it appears that everything related to a user’s account is accessible, including:
- Private account settings
- Private messages that have been sent / received
- All boxes and their content
- Payment Information
Another major issue is that the website does not use HTTPS by default. This means that every time the page is loaded the cookie’s containing the PHPSessionId value are transmitted in clear text. This is a major problem b/c it allows for trivial session hijacking.
How to Fix?
Here are some of my suggestions on how to resolve this problem:
- Enable HTTPS by default for ALL PAGES
- Do not store the userId in the cookie, instead only the session id.
- Map session Ids to the correct account in memory server side
- Enforce access control checks on all page loads that verify that the session is still active and is valid for the account.
- I would suggest not using that user’s Id anywhere in the page, but, it appears this would require significant work to achieve and may not be feasible.
- Expire sessions after a shorter period of time.