If you don’t know, a bug bounty program is a modern strategy to encourage the public to find and report bugs or vulnerabilities in software — especially the security bugs that may be misused by cybercriminals. Most of the big technology companies like Facebook, Google, and Microsoft employ bug bounties.
Although bug bounties are available for all types of security vulnerabilities, the bounties for Cross-Site Request Forgery (CSRF) aren’t popular. The reason being CSRF is no longer one of the top ten online threats, per OWASP. Nevertheless, there were some highest paid bounties for reporting such vulnerabilities.
That said, let’s check out the recent highest paid bug bounties for finding and reporting bugs related to CSRF. But first, let’s get to know CSRF. Read on.
Cross-Site Request Forgery (also known as “CSRF”) is a cyber-attack wherein the attacker forces the user to do his bidding — mostly unknowingly! The attack takes place in the user’s web browser; if the user is already authenticated, the attacker may trick him into sending requests that perform unknown and unwanted actions.
Let’s say, if the user has authenticated earlier on Facebook, the attacker may trick him to like a post or send a message involuntarily. It seems like a small hazard, but it has far more ill-effects if the user is an administrator.
For example, if the user is a website admin in a hospital system and he/she is already logged in, the attacker can trick him/her into editing or deleting patient records.
The attacker may opt for social engineering techniques to deliver a malicious link. For instance, he may send the link through email or social media networks. Then, if the user clicks the link while he is already logged in to the targeted website, the link gets executed, thus pulling off the hacker’s malicious plan.
Alternatively, the attacker may post the malicious link on a known website; let’s say it’s posted in a location that is likely to be clicked or visited by the victim. It can be a comment on a discussion forum or a controversial or trending article. Moreover, the attacker may also compromise a vulnerable website and add the malicious link into its pages to get the link delivered to all the site’s users.
The link can be a clickable link in an email or on a web page, or the link can be embedded or hidden inside an image too. Well, it’s just the common method for delivering such a link, and there are a few more complex methods as well.
Since you now know about Cross-Site Request Forgery (CSRF), let’s check the highest bug bounties known for detecting and reporting security bugs.
Facebook paid a huge bounty reward of $25,000 to a hacker who goes with a moniker Samm0uda for discovering a critical CSRF vulnerability in the world’s biggest social network. He discovered and reported the bug in January 2019, and Facebook paid him the bounty award after fixing it in February 2019.
What was the issue? “This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link,” wrote Samm0uda.
The vulnerability allowed an attacker to take any action on behalf of the victim user, say change your profile picture. The bounty hunter demonstrated various possible actions including making a post on timeline, deleting a profile picture, and even deleting the account. But that’s not all; an attacker, if successful in a group of steps, can also take over a victim's account, i.e., he’ll own it.
Samsung ($13,300) [Dec’18]
Samsung awarded Artem Moskowsky — an Ukrainian bug bounty hunter — a reward of $13,300 for finding three CSRF bugs in Samsung accounts. With the help of the vulnerabilities, an attacker could change profile details or take over a user account — even if it’s protected by two-factor authentication.
What was the issue? “Moskowsky told ZDNet that he identified three CSRF issues in Samsung's account management system. The first would have allowed an attacker to change profile details, the second would have allowed an attacker to disable two-factor authentication, while the third would have allowed an attacker to change the user's account security question,” according to ZDNet.
Uber ($8,000) [Jan’19]
Uber awarded a bounty amount of $8,000 to a bug bounty hunter in January 2019. The bug — an improper authentication error — involved a state change without using a CSRF token but by using a redirect URL. An attacker could change it to take control of the authentication, thus take over an account.
What was the issue? “An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token.
As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token,” according to the summary by Uber on HackerOne.
Uber paid a bounty amount of $6,000 to Vijay Kumar — a bug bounty hunter on HackerOne. He found and reported CSRF bugs in UberEats — the food delivery subsidiary of Uber. Its whole domain had no CSRF protections, shockingly!
What was the issue?
“There was a lack of CSRF protections on eats.uber.com which allowed an attacker to add a credit card to another account. Shortly after reporting, @vijay_kumar1110 noticed other endpoints on the same domain which also lacked CSRF protections and added them to his report.
Following further investigation, we found that there was a complete lack of any CSRF protections on eats.uber.com, allowing an attacker to make requests on behalf of another user arbitrarily.
At the time of reporting, this was thought to be a one-time issue but ended up being something that existed across the rest of the service which increased the severity of this issue,” according to Uber on HackerOne.
PayPal awarded a bounty amount of $3,500 to Alex Birsan — a bug bounty hunter on HackerOne. He discovered and reported a CSRF vulnerability in Xoom — a service to send money abroad easily, thanks to PayPal. The bug was present at the referral subdomain of Xoom, leaking email and more data of the user.
What was the issue? “Due to a cross-origin configuration, the application at refer.xoom.com could be embedded in script tags on other websites. If a malicious site were open in the same browser as refer.xoom.com, the malicious site could see and extract data from the referral page. This included the email addresses being used and, in extreme cases, tokens allowing Xoom access to post on a user’s Twitter.
Any Twitter activity was limited, clearly marked as posted by Xoom, and could be mitigated by the user at any time by deauthorizing access. This did not affect any session or financial data,” according to PayPal on HackerOne.
That’s all about the CSRF vulnerabilities that are known for highest bug bounty rewards. Though all these security bugs were serious, the vulnerability with UberEats is most shocking!
It’s a classic example of negligence by the security and technical teams at Uber — one of the biggest disruptive companies.