Document Title: =============== Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1303 Release Date: ============= 2014-10-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1303 Common Vulnerability Scoring System: ==================================== 3.6 Product & Service Introduction: =============================== Find jobs using Indeed, the most comprehensive search engine for jobs. In a single search, Indeed offers free access to millions of jobs from thousands of company websites and job boards. From search to apply, Indeed’s Job Search app helps you through the entire process of finding a new job. Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. (Copy of the Homepage: https://itunes.apple.com/us/app/job-search/id309735670 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Indeed.com `Job Search` v2.5 mobile web-application (api). Vulnerability Disclosure Timeline: ================================== 2014-10-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Indeed.com (Bug Bounty) Product: Job Search - Mobile Application API 2.5 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ 1.1 A persistent input validation web vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api). The persistent vulnerability allows an attacker to inject own script codes on the application-side of the vulnerable online-service module. The vulnerability is located in the main job search input field of `Was Stichwort, Jobtitel oder Unternehmen` and `Wo Ort, Bundesland oder Postleitzahl`. A local low privileged user account is able to inject script codes by usage of the regular search `Jobs finden` button. The injection request runs through the mobile api and is not parsed or encoded. The attacker injects his code to the input field and can execute the code in the results page through the mobile api. The first execution occurs on the client-side of the application. After the first search request, the application remembers the strings and saved the information (application-side). The already injected client-side request with the malicious code changes to the application-side attack because of the stored db context in the user profile. During the test we used js, html tags and php code to exploit the issue and verify. The input executes frames, images and script code in the results page on the header were the vulnerable `stichwort` and `ort` values are located. The input of the search and also the input of the stored information can be reviewed in the backend whichs needs to be verified by an higher privileged indeed account. The security risk of the vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the security issue requires low user inter action & a registered low privileged mobile web application user account. Successful exploitation of the security vulnerability results in session hijacking (user/manager/admin), persistent phishing, persistent external redirects or persistent manipulation of affected or connected module context. Vulnerable Application(s): [+] Indeed.com - Job Search v2.5 iOS Mobile Application (API) Request Method(s): [+] POST Vulnerable Module(s): [+] Was Stichwort, Jobtitel oder Unternehmen [+] Wo Ort, Bundesland oder Postleitzahl Affected Module(s): [+] Job Search Results [+] History - Vorherige Job suchen 1.2 A client-side cross site scripting vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api). The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions informaton by client-side cross site scripting requests. The vulnerability is located in the `Empfänger` input of the `Job Suche > Wähle Job Angebot` module. Local low privileged user accounts are able to inject script codes to the empfänger input field of the iOS application. The result is a client-side script code execution in the context of the main job result next to the page bottom. The attack vector is non persistent and the method to inject the malicious code is POST. During the test we used js, html tags and php code to exploit the issue and verify. The execution of the injected code occurs directly after the request through the api at the bottom of the job article page next to the vulnerable `Empfänger` input. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the security issue requires low user inter action and no privileged mobile web application user account. Successful exploitation of the security vulnerability results in session hijacking (user/manager/admin), non-persistent phishing, non-persistent external redirects or client-side manipulation of affected or connected module context. Vulnerable Application(s): [+] Indeed.com - Job Search v2.5 iOS Mobile Application (API) Request Method(s): [+] POST Vulnerable Module(s): [+] Job Suche > Wähle Job Angebot Vulnerable Input(s): [+] Empfänger Affected Module(s): [+] Job Suche > Job Angebot (Bottom > Empfänger) Proof of Concept (PoC): ======================= 1.1 The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Test Account: Username: b...@evolution-sec.com Password: keymaster148 Manual steps to reproduce the vulnerability ... 1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670) 2. Open the service and register an account 3. Login to the account 4. Open the main job search module 5. Inject your own script code payload to the vulnerable two input fields Note: Both input fields run directly through the api of the mobile application 6. You get redirected to the results page were the execution takes place on top of the webpag context 7. Client-side reproduce successful! 8. Now we go back to the regular profile in the main app index search Note: The mobile app allows to save the already requested context of an exisiting search (history search) 9. The `Vorherige Job suchen` allows to request the saved context and the client-side issue is now an application-side vulnerability 10. Successful reproduce of the vulnerability! 1.2 The non-persistent cross site scripting vulnerability can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670) 2. Open the service and register an account 3. Login to the account 4. Open the main job search module and search for any existing job name 5. Click the exisiting job article and scroll down to the page bottom Note: The application uses the `Empfänger` to notify users and the seeker 6. Inject to the `Empfänger` input field your own payload and save by usage of send 7. The code execution occurs directly next to the vulnerable input field Note: The context through the mobile api gets wrong validated which results in the client-side execution of code 8. Successful reproduce of the client-side vulnerability! Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png ../8.png ../9.png ../10.png ../11.png ../12.png ../13.png ../14.png ../15.png ../16.png Solution - Fix & Patch: ======================= 1.1 The first issue can be patched by a secure parse and encode of the results page were the vulnerable values execution occurs. Filter and restrict the input of the search through the mobile ios api to prevent further persistent and non persistent attacks. 1.2 To parse the second vulnerability it is required the encode the Empfänger input field which is present in every job article. The input needs to be parse the value to ensure attackers are not able to execute client-side attacks against customers to compromise (hijack) session information. maybe it is wise to implement in the mobile api and app a new exception for invalid requests. Security Risk: ============== 1.1 The security risk of the persistent and non-persistent input validation web vulnerability in the result page is estimated as medium. 1.2 The security risk of the non-persistent cross site scripting web vulnerability in the `empfänger` value is estimated as medium(-). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
