I have been interested in Information Security as a hobby for a while now. I spend nights and weekends reading CVE entries, testing out the OWASP top 10 and downloading vulnerable OS’s and trying to break into them. Each one is like a puzzle that I know I can get into, I just don’t know how yet.
I also like building furniture sometimes too. That is how I found out about my first security vulnerability in something.
I go to a builders merchant in Stockholm called Fredells Byggvaruhus. It has all the hardware I could ever really need, except Walnut at widths greater than 610mm, but that’s another story. I also have a loyalty card, as I am a fairly regular customer, so I figured I would need it. Of course when you sign up for the loyalty card they ask for a pretty large quantity of personally identifying information, such as name, address telephone number, email address etc.
It also meant that I was added to an electronic mailing list which would occasionally send me offers via email.
As is usual for these types of email, there is an unsubscribe button at the bottom of the page. I think I must have only seen a single email from them or maybe even two, but knew that I didn’t want in on an email list, so hit unsubscribe. I was taken to a webpage with a Fredells banner at the top, and a pretty standard looking button with my email address on it with a few stars replacing some characters, and a big “Unsubscribe” below.
It was the stars that made me look twice at the button. There were just a few of them, and enough of my email address remained that I could almost guess what it should be. I right-clicked on the button and hit Inspect Element. I looked at the source to see if it was actually just obscuring my email address, but it seemed to come through with the stars. Intriguing. I hit the unsubscribe button, and as the developer console was still open in Chrome, I could see what came over the wire. In the POST request method there was a strangely huge chunk of alphanumeric characters. 7032 characters to be precise. It also ended with a double equals sign (==). That means it is base64 encoded.
I really wanted to know what it was. I noticed that I had already got an email from Fredells saying that I had been unsubscribed from their emailing list, so decided to investigate further. I googled around for a base64 decoding page, threw the string in and hit decode. HTML churned out and after a cursory look, I could see my email address there in now-plain text. As I looked at the http (not https) request, I could also see that it was a very specific url that I had been sent to. I mean there was the top level domain, a slash, then 8 characters, then another slash and 31 other characters. I mean that is *really* specific. Almost as if it had been generated in some way specifically for me based on say… my email address or something.
So I did what any tester would do. I changed some letters in the URL. In fact I changed only 1. I then was taken to an unsubscribe button for someone else. Certainly not me, as my email address does not end with “@mac.com”.
10 minutes later, I had a Python script running that iterated through a block of URL’s and change letters or numbers here and there. It would then make a GET request to the url, and use a regular expression on the returned text to look for an email address (with the *** censoring) and save whatever it found to a file. I left it on for a while. Then I used uniq on the file to output a list of unique email addresses (just in case of duplicates). There were more than one or two in that file. Quite a few.
I tried hitting the unsubscribe button for my email address a few times afterwards. Each time I did so, I got an email from them declaring my unsubscription.
So there was no rate limiting either.
So using this methodology, it is possible to
1) Wipe the Fredells databse clean.
2) Unsubscribe everyone from the mailing list.
3) As you have everyone’s email address, sell the email database to a competitor looking for builders merchant customers, or use the list for phising.
None of the above are desirable outcomes for the vendor or for Fredells. Obviously I reported this to the vendor (which is not Fredells, some kind of email marketing campaign management company called APSIS), and they said they would fix it. Having seen so many vendors just ignore security problems when their feet are not held to the fire in some manner I chose to follow responsible disclosure. I am in the software development industry, and know that not only is security hard, but patching is hard, testing is hard and development itself is especially hard.
45 days, which is recommended as the time to responsibly disclose seems a bit short (to me at least). I decided to at least double it. Which is why you are reading this on or after the 1st June. I first reported this to the vendor on the 26th of February. Nothing happened for a week, which is usually a sign that it was either overlooked or just forgotten about. I mailed back and they immediately got back to me. The timeline of events is below.
26th February – Initial email to vendor.
9th March – Reminder sent to vendor.
10th March – Vendor replies with request for more info and detailed bug report.
11th March – Bug report sent along with all information I had.
11th March – Vendor replies that bug has been sent to relevant department.
13th March – Contacted by Development Manager at vendor thanking me for the bug and letting me know they are working on it.
8th April – Vendor informs me they are planning a release in the coming week or two.
22nd April – Vendor informs me that code is released, bug is fixed and invites suggestions for view state regarding unsubscription.
1st June – This post published.
So it was fixed! I think the whole process went far better than I could imagine, as I am constantly reading about vulnerabilities that do not get patched, lazy vendors etc, so I was a bit hesitant initially. I would like to take this opportunity to thank ASPIS too, for their understanding and dedication. It could have been pretty bad for them, more so for the companies they represent too I suppose, but they acted very professionally throughout.
On a side note, I recently bought a sofa, not thrilling news, I know, but it seems like I got signed up to a mailing list when I did. I think I will investigate further what kind of unsubscription mechanism this mailing list has too.