Tuenti.com fixes a XSS vulnerability

Tuenti is a spanish “social network” plattform with about 14 million users. It is one of the biggest networks in the spanish-speaking area. The network offers various webapplications which in general are intended to facilitate communication. Tuenti runs a responsible disclosure program, in which we’ve also participated.

The Captcha bug

After we had a look at the website, we found a problem in the captcha-system. The captcha was created by a PHP script “on-the-fly”, using a unqiue hash to generate the displayed string. The same hash was used in the form to identify the displayed captcha. After some further tests we’ve noticed that if you would know the solution and the hash of a captcha, you could validate a request as often as you want. This would render a captcha system useless.

We’ve notified Tuentis security team about this issue on the 1st of May 2013. They answered five days later explaining that they were able to reproduce this issue and that they’re going to fix it. However, we haven’t heard anything back for the following ten days. Asking for a status update results in the usefull information that we might have discovered a more serious issue in the whole captcha system. They also told us that the minor CSRF we’ve reported isn’t that critical and they’re going to fix it eventually.

We haven’t had to wait long for the next update on our captcha bug. The final conclusion was, that this is not a valid issue since the unique is being invalidated after usage. Maybe we missed something, at least it seemed to work while writing our PoC…

The XSS Bug

Sometimes you need a break before you take another look at a website. That’s why we have paused our work on that service for a week.

After the break, we’ve discovered a XSS issue on “upload.tuenti.com”. There was a script which allowed a user to upload some files to the service. If you provided a invalid “phoneCountryId” in the post-request the application exited with an error:

1
DEBUG EXCEPTION: [Invalid country iso: [CODE] ]

The content-type was set to “text/html” and the invalid “phoneCountryId” was embeded in the response. Due to the lack of input/output escaping, we were able to trigger an XSS out of this paramter. We’ve reported this issue on the 25th of Mai 2013 and received a positive answer two days later. The fix was deployed on the 29th of Mai 2013 and their security thanked for the hints.

We are featured in their hall of fame now. Have fun hunting bugs there ;)

The team of internetwache.org

Screenshots:

Screenshot of the XSS at Tuenti.com