folder Filed in General, PoC Gallery, Write Ups
Fiverr.com Full Accounts Takeover - A Vulnerability Puts $50 Million Company At Risk
Mohamed A. Baset comment 0 Comments access_time 2 min read

Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk.

Fiverr raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release.

There are endless numbers of people providing services on Fiverr website, such as graphic design, language translation, illustration, blogging and a lot more that start from just $5 but can go much higher, depending on complexity, seller rating, and type of work.

Cross-Site Request Forgery (CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
– Convince your users to click on a HTML page they’ve constructed
– Insert arbitrary HTML in a target website that your users visit
Not too difficult, is it?

In this case, an attacker only needs to know the Fiverr profile link of the victim in order to exploit the vulnerability. Using which the attacker will craft and host a exploit webpage on his own server.

The Attack Scenario:

If the victim has already logged into his Fiverr account on the same browser, the CSRF vulnerability will silently replace the victim’s Fiverr account email with the attacker’s email address. Once done, the attacker can take over the victim’s account just by changing the account password from “Password reset” option from the website.

PoC Video:

The Fix:

The bug has been fixed by adding an anti-csrf token all-over sensitive requests!

References and other URLs:

https://thehackernews.com/2014/08/hacking-fiverrcom-accounts_16.html

Thanks for reading, Till the next adventure!

Hey!
Building a website? Or already built a one? Think twice before going public and let us protect your business!

accounts At Company Fiverr.com Full Million Puts Risk Takeover Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *


Cancel Post Comment

Translate this blog