A CSRF in Nokia with a Referer Bypass

Web Application Security, CSRF

This post is about a CSRF vulnerability in Nokia where I was able to exploit it to delete accounts using a simple bypass. In which, earned me their Hall of Fame recognition.

Image Description

What is CSRF? #

A CSRF attack involves performing an action on a victim’s user account without their awareness. This can allow an attacker to change a victims password, email, and even delete their accounts.

Reproducing the vulnerability #

Step 1 - Testing for CSRF #

While testing, I noticed that the delete functionality wasn’t using any CSRF tokens to protect against CSRF. Therefore, I started testing for CSRF. The CSRF exploit was unsuccessful, so I had to start testing for bypasses.

When I tried deleting my account without the referer header, the site displayed an error. This suggests that the site relies on referer based CSRF protection, which can be bypassed using methods like ATTACKER_IP/csrf.html?nokia.com.

Step 2 - Crafting the CSRF Document #

Using devtools, I inspected the delete account code block, noticed the path and POST method used.

Then proceeded to craft the malicious HTML document:

<form method="POST" action="https://network.developer.nokia.com/accounts/profile/requestaccountdeletion">
</form>
<script>
        document.forms[0].submit();
</script>

Step 3 - Triggering the CSRF #

I used my DigitalOcean VPS to deliver the exploit, but alternative methods like replit can also be utilized, and it’s free.

Here’s the final link including the bypass: “attacker_ip/csrf.html?subdomain.nokia.com”. I clicked on the link and observed the successful deletion of the account.

Conclusion #

This writeup highlights a vulnerability in the account deletion functionality, allowing attackers to delete accounts via a link using this simple bypass. By responsibly disclosing this issue, I received recognition in Nokia’s Hall of Fame, enhancing their security further.