This post was originally published on the AppSec-Labs blog.
As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.
A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.
After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the vulnerable “Contact Now” feature. This feature can be abused by any registered buyer who could send a message to the seller containing a malicious payload.
As soon as I reached my conclusion, I needed to get in touch with the AliExpress security team to make them aware of the problem and allow them to fix it. I made several attempts to contact them, however, unfortunately, I did not receive any response by email and could not get the security team’s email address via the online support. I started to ask for help via social media networks (in order to contact AliExpress), where I came across Amitay Dan, who claimed to have discovered yet another vulnerability. He had also tried to contact AliExpress, but did not receive a satisfying response either.
It is important to emphasize that my intention from the start was to contact AliExpress and to report the security breach to them personally so they can fix it, out of genuine concern that AliExpress users all over the world, including myself, should be able to use a properly secure website. Only after numerous unsuccessful attempts to reach their support, did I look for further assistance in the social media.
In the last few days, after Amitay & I were interviewed by the local Channel 10 News station, the news about us exposing security vulnerabilities in AliExpress had spread in the media all over the world. Finally, we managed to get in touch with an AliExpress representative via the AliExpress – Israel fan page on Facebook, who connected us with the relevant contacts in AliExpress in order to prove and explain the security breaches that we detected.
I must say, that as soon as initial contact with AliExpress was made, they took this issue very seriously and we received an official message stating that the vulnerabilities we detected were fixed within two days. After receiving this message, I of course tested it myself, and I can indeed confirm that the vulnerability I found is now fixed.
The POC of the AliExpress XSS hacking
The vulnerability I detected is persistent XSS, which allows an attacker to inject malicious HTML/JS code into message content, so when a seller opens a message or even just opens the message center, the malicious script will be executed on the seller’s browser. In this way, the attacker could potentially take over accounts and steal data from the victim’s account. The following actions can be achieved by using an XSS attack:
- Steal the user’s session cookie.
- Read responses from the server.
- Perform applicative actions.
- Turn on the user’s webcam and spy on him.
- Perform a phishing attack to steal the user’s password or other sensitive data. The attack could create an HTML layer above the website content with a submit form and ask the user to fill it in.
The following is a possible attack scenario:
- An attacker sends a message to a store via the “Contact Now” feature and injects a malicious script into the content.
- The seller browses to the AliExpress message center.
- The malicious script is executed on the seller’s browser, which can then lead to any of the above described exploit scenarios (depending on the script’s content).
A skilled hacker could easily exploit this Cross-Site Scripting (XSS) vulnerability and perform a well targeted attack by sending malicious messages to many or even all of AliExpress sellers.This could eventually result in great damage to the AliExpress website or its users.
* This blog, written by Barak Tawili, was originally published on the AppSec Labs (@AppSecLabs) website.