5 CSRF Vulnerabilities Known For Highest Bounty Rewards

If you don’t know, a bug bounty program is a modern strategy to encourage the public to find and report bugs or vulnerabilities in software — especially the security bugs that may be misused by cybercriminals. Most of the big technology companies like Facebook, Google, and Microsoft employ bug bounties.Although bug bounties are available for all types of security vulnerabilities, the bounties for Cross-Site Request Forgery (CSRF) aren’t popular. The reason being CSRF is no longer one of the top ten online threats, per . Nevertheless, there were some highest paid bounties for reporting such vulnerabilities.That said, let’s check out the recent highest paid bug bounties for finding and reporting bugs related to CSRF. But first, let’s get to know CSRF. Read on.

”) is a cyber-attack wherein the attacker forces the user to do his bidding — mostly unknowingly! The attack takes place in the user’s web browser; if the user is already authenticated, the attacker may trick him into sending requests that perform unknown and unwanted actions.

Let’s say, if the user has authenticated earlier on Facebook, the attacker may trick him to like a post or send a message involuntarily. It seems like a small hazard, but it has far more ill-effects if the user is an administrator. For example, if the user is a website admin in a hospital system and he/she is already logged in, the attacker can trick him/her into editing or deleting patient records.

.

The vulnerability allowed an attacker to take any action on behalf of the victim user, say change your profile picture. The bounty hunter demonstrated various possible actions including making a post on timeline, deleting a profile picture, and even deleting the account. But that’s not all; an attacker, if successful in a group of steps, can also take over a victim's account, i.e., he’ll own it.

Samsung ($13,300) [Dec’18]

Samsung awarded Artem Moskowsky — an Ukrainian bug bounty hunter — a reward of $13,300 for finding three CSRF bugs in Samsung accounts. With the help of the vulnerabilities, an attacker could change profile details or take over a user account — even if it’s protected by two-factor authentication.What was the issue? “Moskowsky told ZDNet that he identified three CSRF issues in Samsung's account management system. The first would have allowed an attacker to change profile details, the second would have allowed an attacker to disable two-factor authentication, while the third would have allowed an attacker to change the user's account security question,” according to .

Uber ($8,000) [Jan’19]

Uber awarded a bounty amount of $8,000 to a bug bounty hunter in January 2019. The bug — an improper authentication error — involved a state change without using a CSRF token but by using a redirect URL. An attacker could change it to take control of the authentication, thus take over an account.What was the issue? “An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token,” according to the summary by .

.

.

That’s all about the CSRF vulnerabilities that are known for highest bug bounty rewards. Though all these security bugs were serious, the vulnerability with UberEats is most shocking! It’s a classic example of negligence by the security and technical teams at Uber — one of the biggest disruptive companies.