I want to talk about something, i faced in the BB program. After uploading image files in web applications, there are input areas where we can change the re-size of the image. When I examined such a structure, I observed that it might cause some privacy problems and this is quite similar to the image-proxy. For this reason, I will try to explain the issue through the image-proxy.
What is Image-Proxy
You have already encountered a method to expose a user identity using the Image proxy. When you receive an email, attackers put an image to the mail content. If a victim opens the e-mail, the image will also be loaded within the HTML page and the “email has been read” info obtained by attackers or Email marketers.
Services such as Gmail offer a feature that increases your privacy and security when you use images. All non-site images embedded in e-mails are transferred to proxies on their servers. I think Fastmail’s trying to fix this vulnerability. “https://www.fastmail.com/about/bugbounty.html." :)
But the vulnerability that I have found is a bit different from the point of view of an image loading issue. Yes, I needed a few steps to figure out this as below
Anti-Csrf Bypass -> Hacker-Friendly Error Page -> Crop-Image PoC
Anti-CSRF Bypass
Anti-csrf token is used application-wide so it is used in the crop image(avatar) feature and it looks like this “change-avatar.php?x=120&y=120&csrftoken=value”. I’ve bypassed that CSRF protection in a simple way with deleting the value of csrftoken.
Hacker-Friendly Error Page
Interestingly, after I deleted the CSRF token from the request, I got an error like the other pages. I noticed that my avatar has changed even if I got an error due to unexpected behavior.
Crop-Image PoC
To build a structure like “Image-proxy”.
Attack steps :
1- An attacker had to send something to the victim to click once.
2- The avatar’s size would change when the victim clicked on this link.
3- Then I visit the victim’s avatar page again. Of course, in this case, this avatar should appear in a public or private(dm message) area so that I can notice the changes.
Yes, the avatar has successfully changed and when the victim was online, it can be used to fingerprint users.
It’s a simple idea but it can go to different points.
What else is there? Google it!
In fact, if you search for “crop image in PHP” in Google, you can find a lot of examples in stackoverflow.com. In these examples, there are GET/POST values received from the user directly which affects the x and y coordinates of image.
e.g. The “imagecopyresampled” function is frequently used in code fragments. When you look at “https://www.php.net/manual/en/function.imagecopyresampled.php” in the PHP manual, you will see that this function is as follows:
imagecopyresampled ( resource $dst_image , resource $src_image , int $dst_x , int $dst_y , int $src_x , int $src_y , int $dst_w , int $dst_h , int $src_w , int $src_h ) : bool
In my case, there was some luck to trigger this vulnerability. There are many examples in Github. I wanted to remind you if you want to review them.
EOF