PushWoosh – Sensitive Information Leakage via Referrer Header

PushWoosh – Sensitive Information Leakage via Referrer Header

This post is published by Matthew Temmy  as a contributor on Bug Bounty POC .Note that the post is written by Matthew Temmy, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.

Hey Guys, i’m Aworunse Matthew Temmy and this is my first PoC 😉 I’ll be short and precise and i hope you enjoy it.

Pushwoosh is a free real time cross-platform push notification service. It provides open source SDK and plugins for iOS, Android, Blackberry, Windows Phone and Windows 8, Mac OSX, as well as Unity, PhoneGap and PhoneGap Build, Titanium, Marmalade, Adobe AIR, and other platforms.

After logging into the application dashboard, at the footer, there are social media buttons for the users to get in touch with PushWoosh on Social Media, but they fail to stripe useful information off when visiting an external website (e.g using rel=noopener should take care of this). So if the user clicks any Website at the Footer to visit the site, the user current link gets sent with the request in the referrer header.

PushWoosh using Target=”_blank” which is a really not recommended because the browser will pass along the referrer header along with the request and the opened TAB will have access to the window.opener also a malicious website can exploit that https://www.jitbit.com/alexblog/256-targetblank—the-most-underestimated-vulnerability-ever/

The Information being leaked include but and not limited to App ID, API Tokens, Promo Codes e.t.c infact all useful information that are included in the URL would have been passed on to external website. Meanwhile information like the API Token can cause an account compromise.

A Big Shoutout to Nikita Aryakov (Security Architect at Pushwoosh, Inc.)

Useful Link:

https://www.jitbit.com/alexblog/256-targetblank—the-most-underestimated-vulnerability-ever/
http://docs.pushwoosh.com/docs/pushwoosh-vulnerability-monitoring#the-list-of-our-beloved-security-researchers

Here is a video:


where i showed Leaking of the API Token to Facebook, i hope you enjoy it. Feel free to comment and criticize and if there are other attack scenario i did not see. Also sorry for low quality video 🙁

 

Thanks

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *