Digitalocean.com is a cloudhosting service, which is specialized on small and big virtual servers with SSDs. As an safety-conscious company it runs a bug bounty program in which we took part. Now we just want to share our findings with you.
TL;DR: Two CSRF vulnerabilites were discoverd in the dashboad. One allowed us to change everybodys API key and the other one allowed us to use promotion codes.
1. Changing the API key
After logging into the dashboard, there was a button “Generate new API key”. A click on this button issued a GET-Request to server which then invalides the old API key and generates a new one.
PoC:
1
| |
We reported that bug on the 14th of september 2013 and received an answer quite fast (after 3 hours). Eight hours laster the issue was resolved and we received a decent amount of money on our digitalocean account.
2. Using a promotion code
After every successful payment cycle you’re allowed to use a new promotion code. The redeem functionality was not protected against CSRF attacks, so that an attacker could use a “valueless” promotion code. Again this check was made via a GET request.
PoC:
1
| |
This issue was fixed within a day and we received a smaller bounty for that issue.
All in all, it was fun to have a look on digitcaloceans portal. Finally, we’re listed in their hallo of fame)
The team of internetwache.org