Alibaba turns into Ali-blab-blab thanks to web server URL security bug

Chinese e-commerce megabrand Alibaba just fixed a rather naughty security slipup on its online retail portal AliExpress.

Israeli security researcher Amitay Dan noticed the problem, which has now been fixed: it’s one of those security mistakes that is not only easy to make, but also easy to exploit once you know how it works.

Very greatly simplified, it seems that AliExpress allowed a workflow like this:

  1. Login to the site, and receive an authentication cookie so the site knows it’s you.
  2. Look up your shipping address, which the site will return because it can see it’s you.
  3. Receive the reply via a URL in which your mailing address ID is one of the URL parameters.

Sadly, as Amitay Dan quickly noticed, altering the URL to include someone else’s ID still passed AliExpress’s authentication check.

Although you weren’t logged in as the user whose address you were requesting, you were logged in as someone, and that was enough.

This is a bit like checking into a hotel, identifying yourself and being handed a key to Room 101, and then realising that your key opens the room next door…

…and the rooms on the next floor, and, indeed, any other room in the hotel.

Once you know the trick, you don’t need to be much of a hacker to exploit it.

In the hotel example, you simply wave your key in front of someone else’s door.

You don’t know who’s room it is, but you can probably find out by grubbing around in their belongings once you’re inside.

In the AliExpress example, you simply change the ID string in the URL; if the IDs follow a pattern, like hotel room numbers do, you’ll be able to guess valid ones easily.

You won’t know whose account it is before you poke around, but you can probably find out once you’re in, because you’ll know where they live, what their phone number is, and more.

Not a new sort of bug

This is a similar sort of bug to the one that allowed convicted-then-pardoned “hacker” Andrew Auernheimer to acquire the email addresses of 114,000 US iPad owners who were customers of AT&T.

In the AT&T case, back in 2010, Auernheimer didn’t need to login as anyone first; the security of the system was based on knowing or guessing a valid SIM card identifier to put into a parameter in a web request.

But the flaw was a similar one: predictable “secrets” embedded in URLs that would be processed with improper or missing authentication tokens.

What to do?

In the AliExpress case, there was simply no need for the URL to specify the user’s mailing address ID.

If you’ve logged in as user X, and can provide an authentication token to prove it, you only need to say “please show me my mailing address.”

Saying, “I am user X; my authorisation is Y; please show me my mailing address, which I think has its own database ID of Z” is redundant.

If the backend is forced to ask its own database engine for “the mailing address that goes with user X who presented authentication data Y,” then it is much less likely to bypass the authentication check by mistake.

Otherwise, it may go straight to the raw mailing address database without checking that user X really is associated with address Z.

In three words: Keep it simple!