When the verification goes wrong.
Avatar cookie contains the URL of the avatar image. But what if we change that?
When I was hunting on cs.money, I noticed that the avatar cookie had the url for the user’s avatar on Steam. I changed the cookie to the URL of some other image and I saw that it was loading on the main page.
Until here there is nothing very special. We can load other images rather than the expected one. So what?
Okay, I tried to chat with support and… my request got blocked. After playing around with the cookie value a little bit, I tried to insert part of the steam avatar url as a parameter for my server.
Yes, I was right. The server was not checking the URL properly. The back-end verification was something like this (pseudocode):
The right verification should be:
I got a request on my server from the supporter browser. It tries to load the image url by sending a HTTP request to my server. So now I have access to supporter IP Address and User-Agent.
Denial of Service
Now, think. What if instead of the hacker server, we insert the cs.money logout URL? Bingo!
The supporter browser makes a request to the logout URL and disconnect him.
It is amazing to see how a small flaw, just a wrong verification o avatar cookie, have a impact like that.
Cs.money paid me a $ 500 reward (high impact at support.cs.money). As I had already reported the problem (able to change avatar to another images) and they closed as Not Applicable, they kindly gave me a $200 bonus. You can check my report here.
Let me know if you liked, clap!