Nokia Internet Radio software was released years ago for
Symbian platform of Nokia mobile phones. If you’d Symbian smartphone, you
might be familiar with this software. Or at least you’ve probably seen it on
the menu because it was pre-installed on some models.
The software is used to listen different radio
stations which are provided by broadcasters. The radio stations can be browsed by
genre, language and country. To make it possible for the broadcasters to edit
their stations, there is a website located in irbcast.nokia.com for that
purpose.
Source |
After a quick look into the website, I noticed I’m able to
remove any station from the service just by changing the id of the radio
station in the request. This kind of vulnerability where authorization of the
user to the requested object isn’t ensured is resulting in ”Insecure Direct Object
Reference” flaw and by that to privilege escalation.
Also it was possible to change details like description and
genre of any radio station. At this point it was quite clear that there is
probably no authorization check implemented on the edit functions at all.
I was interested in to see if an account could be captured
by using this flaw. This means that the id of the broadcaster (victim) is
needed, so we can make changes to the right account. The search function on the site was very helpful. After finding the
target with the search function and opening source code of the search result, the needed id was found to proceed.
Next victim’s technical email address was changed to our own
one by changing the victim's id to the request and ”forgot password” function was used for the victim’s account. The
password reset link was received to our own email address and the password was
reseted. On the login screen I realized I haven’t got the username of the
victim and it isn’t mentioned anywhere on the site. So the only way would be to
guess it (like the name of the radio station as an example). Meh.
Even though a full account capture wasn’t possible, technically I had very wide access to the victim’s
account. And well, deleting all of the radio stations from the whole service wouldn’t had been a big task.
Exploiting insecure direct object references is very
easy and the results can be very bad.
Timeline:
1.7.2013 – The issue was reported to Nokia security
1.7.2013 – I got a human response in a one minute that the report is being forwarded
1-2.7.2013 – Edit functions were disabled on the website
9.7.2013 – Comrade Sintsov from Here dropped a message that the issue has been fixed and I’ll get Lumia 820 as a reward.
1.7.2013 – I got a human response in a one minute that the report is being forwarded
1-2.7.2013 – Edit functions were disabled on the website
9.7.2013 – Comrade Sintsov from Here dropped a message that the issue has been fixed and I’ll get Lumia 820 as a reward.