Introduction
WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over 200,000 users, for more details see https://en.wikipedia.org/wiki/WT_Social.
The finding
Upon inspecting the account editing feature ‘Edit My Details,’ I observed a noteworthy vulnerability in their implementation. To my surprise, the system employed a ‘GET’ request for this operation, exposing critical user information in the URL.
The request appeared as follows:
GET /myaccount/updatedetails?data={"_token":"USER_CSRF_TOKEN","action":"update","userInfo":{"fname":"Sarmad","lname":"Hassan","email":"MyEmail@gmail.com","dob":"1921-01-01","dob_day":1,"dob_month":1,"dob_year":1921,"pw":"","pwc":"","pwo":""}}
I tried to delete my CSRF token just to check whether they validate it or not, and guess what it worked for me 🙂
Reproduction Steps
Step 1: Simply share the following link with other users:
Upon the recipient clicking on the provided link, their email will be altered, potentially allowing an attacker to gain control of the account by using the password reset option.”
Notes
- I successfully bypassed their CSRF protection by removing the token from the ‘GET’ Request.
- An attacker doesn’t have to create a CSRF form; they only need to transmit the same URL from a site trusted by others.
Special Thanks
I extend my gratitude to co-founder Jimmy Wales for granting me permission to disclose this security vulnerability
Timeline
Sarmad | 17 Nov 2019
Initial Report
WT.Social | 19 Nov 2019
Report Triaged
WT.Social | 20 Nov 2019
Fixed By WT
Sarmad | 25 Nov 2019
Fix Confirmed