Chinese e-commerce megabrand Alibaba just fixed a rather naughty security slipup on its online retail portal AliExpress.
Israeli security researcher Amitay Dan noticed the problem, which has now been fixed: it’s one of those security mistakes that is not only easy to make, but also easy to exploit once you know how it works.
Very greatly simplified, it seems that AliExpress allowed a workflow like this:
- Login to the site, and receive an authentication cookie so the site knows it’s you.
- Look up your shipping address, which the site will return because it can see it’s you.
- Receive the reply via a URL in which your mailing address ID is one of the URL parameters.
Sadly, as Amitay Dan quickly noticed, altering the URL to include someone else’s ID still passed AliExpress’s authentication check.
Although you weren’t logged in as the user whose address you were requesting, you were logged in as someone, and that was enough.
This is a bit like checking into a hotel, identifying yourself and being handed a key to Room 101, and then realising that your key opens the room next door…
…and the rooms on the next floor, and, indeed, any other room in the hotel.
Once you know the trick, you don’t need to be much of a hacker to exploit it.
In the hotel example, you simply wave your key in front of someone else’s door.
You don’t know who’s room it is, but you can probably find out by grubbing around in their belongings once you’re inside.
In the AliExpress example, you simply change the ID string in the URL; if the IDs follow a pattern, like hotel room numbers do, you’ll be able to guess valid ones easily.
You won’t know whose account it is before you poke around, but you can probably find out once you’re in, because you’ll know where they live, what their phone number is, and more.
Not a new sort of bug
This is a similar sort of bug to the one that allowed convicted-then-pardoned “hacker” Andrew Auernheimer to acquire the email addresses of 114,000 US iPad owners who were customers of AT&T.
In the AT&T case, back in 2010, Auernheimer didn’t need to login as anyone first; the security of the system was based on knowing or guessing a valid SIM card identifier to put into a parameter in a web request.
But the flaw was a similar one: predictable “secrets” embedded in URLs that would be processed with improper or missing authentication tokens.
What to do?
In the AliExpress case, there was simply no need for the URL to specify the user’s mailing address ID.
If you’ve logged in as user X, and can provide an authentication token to prove it, you only need to say “please show me my mailing address.”
Saying, “I am user X; my authorisation is Y; please show me my mailing address, which I think has its own database ID of Z” is redundant.
If the backend is forced to ask its own database engine for “the mailing address that goes with user X who presented authentication data Y,” then it is much less likely to bypass the authentication check by mistake.
Otherwise, it may go straight to the raw mailing address database without checking that user X really is associated with address Z.
In three words: Keep it simple!
2 comments on “Alibaba turns into Ali-blab-blab thanks to web server URL security bug”
Duck wrote: “This is a bit like checking into a hotel, identifying yourself and being handed a key to Room 101, and then realising that your key opens the room next door…
“…and the rooms on the next floor, and, indeed, any other room in the hotel.”
This actually happened to a co-worker. Two of them were staying at the same hotel (in different rooms) on a business trip. On returning from dinner they stopped at one man’s room and the other absent-mindedly put his room key in the door–and it worked!
They discovered that their keys would open each other’s door–and a few others they tried. They surmised that as room keys were lost and not replaced eventually the hotel lost all the individual room keys and was simply making copies of the master key. They checked out first thing the next morning!
One way to recognise a master key for old-school multi-keyed locks is that it has a lot less metal (i.e. the body of the key is much thinner). I imagine this is one reason it’s called a “skeleton key”. A floor master key will be a bit thinner than a regular key, and an all-locks master key thinner still.
If the keys didn’t open all the locks on one floor, it might be a good guess that the locks were very old and worn. Multi-key locks have multiple places at which each pin in the lock will hit an “open” position.
Considering the number of people in any hotel who have access to your room, whatever door lock technology is in use, it’s best to treat the lock more as a “do not disturb” than as a “no admittance” sign 🙂