Pages

Sunday, 12 May 2013

Craziest deal in town

"There are just some things that the universe wants out there"
                                                                                                     - A close friend

   It is amazing how most people think that cyber security involves "firewalls", "encryption", "complex algorithms" and all other jargon that pop-culture has driven into our imagination. While most of it true for top notch systems, the weakest link in the chain is usually a careless human being. A careless typecast or a missed sanitation and BAM! your doors are wide open to the dark evil things of the internet.

Enough said, case in point:

groupon.co.in

Take a sample search url from groupon:
http://getaways.groupon.co.in/deals/294301?city=Bangalore

Which is a valid url and displays the following:


Now add a single quote at the end:
http://getaways.groupon.co.in/deals/294301?city=Bangalore'

And voila!, the webpage belches out the entire source code as response with analysis:

      Snapshot taken at 5.40 AM, 5/13/2013
 
   Apparently, The exception is thrown for any unrecognized parameter, so its not a sanity check, rather a null check. So important lessons:
  1. Do not print error stack-traces
  2. Do not print error stack-traces to the response of a web request
  3. Have a global handler for catching and filtering any exceptions
  4. Please do not write ugly code (Not security related, but in the off-chance that you do get caught with your pants down and your source code all over the internet, at least people wont judge you for sloppiness)
     Another major hole that I found in the short time that I poked around - Password reset urls are sent to you with "http", So um any friendly neighborhood script kiddie sniffing packets would have your password as you reset them. So you might ask him if you forget your password next time. #FAIL



     It is a shame that a company like Groupon that has deep engineering roots could have such gaping holes. Re-iterating what I said before, even before you go onto installing state of the art security, please have your developers write responsible code and I dont know maybe do some QA :)

    Fortunately, I could not find the same vulnerabilities in Groupon's main website, maybe the Indian site  doesn't use the same source code. I wonder why? Groupon's already treading troubled waters for quite some time now. Engineering mishaps like these will surely not bolster any support. Hope they find a new CEO soon and oh yeah, fix these too.

UPDATE: Folks at Groupon have finally take notice it seems. They have fixed for the particular url pattern that i have posted but sloppy again because any other random string still gets a "500 Internal Server Error"

Urlhttp://getaways.groupon.co.in/deals/294301?city=123
Response:
 - 3:19 PM 5/13/2013

DISCLAIMER: This was not a targeted attempt to breach security, more an accidental stumble. The intent of the post is to bring into notice this glaring security holes and not to encourage any malicious activities. A mail was been sent to Groupon before this post was published.

CREDITS: To another friend who actually sent me a deal ;)

3 comments:

  1. I read somewhere that during global expansion, rather than implement their own code, they would buy out competitors and rebrand their products. This may have been a case of that happening.

    ReplyDelete
  2. Yes, we all like to click through webpages an add ticks to the end of parameters, don't we?

    ReplyDelete
  3. Hey Anonymous, it was a search and you may not have noticed, but on many keyboards the single quote is next to the enter key and is therefore easy to hit accidentally.

    ReplyDelete