On Monday this week I reported on donate.barackobama.com being hacked. While Blue State Digital and the Democratic Nationinal Committee may disagree, I stand by the statement. It was clear that something was incorrectly configured, whether the data that was exposed belonged to Obama’s team or not.
In his report for the Washington Post, Brian Krebs called the hack a “hoax”. The best analysis I can find on what Unu encountered when he stumbled upon Roosevelt University’s calendar database was posted at the Praetorian Prefect blog.
So what actually happened? It appears that the secure areas of barackobama.com (those that use HTTPS://) had an open redirector that could be used to proxy all traffic through the Obama website. While the site’s data itself may not have been compromised, the site was still not properly secured. As the folks at Praetorian pointed out, there are several ways to exploit this flaw that could affect the security of my.barackobama.com users.
Web browsers protect cookies by allowing only the originating domain to read those cookies later. When you log in to my.barackobama.com, the site sets a cookie to remember who you are as you blog, plan fundraisers, and plan events.
The proxy capability provided by the smartproxy functionality that was left open could allow an attacker to direct you to a link that appears to be part of barackobama.com, yet leads you to their website proxied by the Obama server. Your browser would then allow the third party site to read any cookies set and allow the attacker to impersonate you on the barackobama.com website.
Fortunately, Obama’s site did not store logins for the donation area, and it appears only my.barackobama.com was vulnerable to being hijacked. Obama’s team and Blue State Digital went to great lengths to downplay this issue, but the fact remains that the insecure practice of allowing unfettered proxy traffic could pose a real risk.
A user of pastebin discovered through a simple Google search that many sites that are hosted by Blue State Digital contain the same unrestricted proxy code. At the time of writing, the code on Blue State Digital’s servers appears to be restricted to a limited number of authorized domains.
Spammers have used redirectors like the one found on Blue State’s sites to scam users for many years now. It allows them to send out URLs that are arguably legitimate to an innocent surfer and still redirect them to something that is malicious and may steal data from the intermediate website.
People also use unauthenticated proxies to subvert corporate or school proxy systems that block sites based upon their reputation or content. By manipulating the URL, you could surf anything on the web through an HTTPS session that is unlikely to be blocked by any web filtering solutions.
If you host or design your own websites, be sure to restrict any code you use to redirect users to other sites to prevent these type of attacks. The cost to you may be more than your cookies, not to mention the bandwidth consumed by people who may use your site as a free proxy service.
To prevent your users from accidentally being redirected to malicious content through a URL that appears to be from a safe and reputable web destination, be sure you have web filtering technology that can look into HTTPS traffic, and perform proper malware filtering that is not just reputation-based. It’s never fun to lose your cookies.
(CC)Plate with crumbs image from Michale’s flickr photostream.
Screenshot of Google result from www.praetorianprefect.com.