Typosquatting ploy successfully bypassed firewalls of multiple organizations
Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network.
That’s according to Truffle Security, which said its researchers earned a “few thousand dollars” from CORS vulnerabilities submitted through various bug bounty programs.
With the help of an exploitation toolkit custom-built for the project, the flaws validated Truffle Security initial hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS misconfigurations”.
CORS for concern
“Usually internal networks are out of scope for bug bounties due to the strict rules against lateral movement and social engineering,” it noted. “We’re aware we’re walking very close to the line, but we don’t believe it’s been crossed.”
CORS is a browser security mechanism that offers controlled access to resources situated outside of a given domain. In doing so it helps developers by offsetting the rigidity of same-origin policy (SOP), which restricts scripts on one origin from accessing data from another.
However, overly permissive configurations can leave the door open to cross-domain attacks.
DON’T FORGET TO READ Car companies massively exposed to web vulnerabilities
Truffle Security’s research centers on ‘wildcard’ configurations, which by not sending login session information are generally secure for externally-facing websites, “but can go horrendously wrong for internal facing web apps that don’t use authentication”.
This is because “people’s browsers straddle multiple networks so when a victim visits an evil website that evil website can hit all of the internal apps on internal networks.”
Of-CORS you can
Truffle Security has invited other bug hunters to target similar vulnerabilities with the tool it built for the project.
Of-CORS, a Python3 application, can “sneakily prod target corporate networks for CORS misconfigurations using typosquatting and phone home with data when found”.
As for reconnaissance, bug hunters are advised to identify internal, second-level domains in use by target companies by checking old commits in Github repos, Android builds, and even StackOverflow threads.
Truffle Security then recommends purchasing typosquatting domains that capitalize on the “off-by-one copy paste error that occurs when you drop the first or last character”.
For instance, in Tesla’s case eslamotors.com snared a victim within a few days. A service worker registered by of-CORS then probed around 150 teslamotors.com subdomains and found that 12 were configured to allow cross-origin access with CORS.
“We demonstrated the ability to access and exfiltrate data from Tesla’s internal network just by setting an innocuous trap and waiting for employees to wander into it,” said the blog post. “Delightful.”
Tesla, which sanctioned public disclosure, was praised for “quickly” escalating, resolving, and paying out for the high severity issue through its Bugcrowd bug bounty program.
The Daily Swig has invited Tesla to comment but we are yet to hear back. The story will be updated accordingly if we do.