============================================================================== Rapidshare Login Credential Leakage Vulnerability ============================================================================== Discovered by Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Advisory URL: http://yehg.net/lab/pr0js/advisories/rapidshare.com_login_credential_leak_overhttp Date published: 2009-07-26 Vendor: Rapidshare (Free File Hosting Provider) URL: http://www.rapidshare.com, http://rapidshare.de Reported: Yes (support@rapidshare.com) Attacker: 1. Trojans or malwares that have sniffing capability 2. Malicious user who is running HTTP sniffer Where: User's computer / User's networks(LAN,WAN,Proxy,ISP,...etc) Overview ========== Upon understanding secure login, Rapidshare protects user credentials from HTTP Traffic sniffing with secure SSL page https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi where users are redirected to when they go to the login page. Although it is their intention to protect, there have been a way to make their users' credential leak since their launch of service. This weakness makes their use of SSL somewhat useless. ########################################################################### Not Vulnerable Scenario ======================= A user goes to rapidshare.com. Click "Premium login". He's redirected to a SSL page https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi. Then he fills up his login info and he downloads the url http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar. His login info is passed through networks as encrypted content because of using HTTPS protocol. Thus, he is not vulnerable. Vulnerable Scenario =================== A user has not logged in yet. He wants to download a url: http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar. He choose "premium". Then the login form appears. He fills up his login info and he downloads the url http://rapidshare.com/files/139189109/Floyd-Cramer-Hello-Blues.rar. As he is not forced to redirect to https url, his login infomation is passed through networks as plain text content because of using sniffable HTTP protocol. Thus, his login information is leaked to attackers and he is vulnerable. Solution: ========= As soon as the user click "Premium" button, he should be redirected to https page along with what he wants to download. For this scenario, this will be https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi?url=/files/139189109/Floyd-Cramer-Hello-Blues.rar After successful login, he will be provided "the ready-to-download" page with download options or file download prompt box depending on his preference. Additionally, Rapidshare web developers should also validate and filter url parameter so that attackers can't take advantage again. ########################################################################### Other Security Suggestions we have made to Rapidshare: - Iframe injectable (Now: Fixed) - Security Lock Bruteforcing (Not/Never fix)