This video demonstrates a flaw found in a large number of sites. It still makes me chuckle that the cloud is supposed to be this amazing thing and yet simple XSS and CSRF attacks and pwn the daylights out of it.
The attack is basically this.
* Attacker convinces CloudKick user to visit a malicious site
* Victims email address is changed using Cross-Site Request Forgery
* Password reset is submitted for user
* Attacker now controls the password reset email and can take over the account
The best protection I have seen so far is to use tokens that are time sensitive, tied to the user session and verified when the request is submitted back to the server. CloudKick from what I can tell is based on Django, a popular python based web development framework. Django includes magic to combat this type of vulnerability it simply has to be enabled.
So how do you turn on this magic csrf protection? The Django project has an easy to follow guide with lots of useful information. All django developers should be aware of this feature and should embrace it's awesomeness.
Oh and in case you wanted to know what the source code for the attack looks like click here. WARNING - If you have a live cloudkick.com session it WILL send me a password reset request.
Update: I would like to first of all apologize to CloudKick as the publishing this was a mistake as they had not yet been notified. I like to follow responsible disclosure and this went against that. For that I apologize.
I would also like to point out to CloudKick and anybody using their service that they did an excellent job taking care of this issue. They responded very quickly and implemented appropriate controls to prevent this issue and other CSRF issues within the application. I am making sure that this mis-communication never happens again by including vendor communication logs in all future videos and advisories.
evilpacket is an awesome public service of nGenuity Information Security. Note: not actually evil.
Site by &yet Web Design