In its role to proactively test for vulnerabilities in organisations’ large, complex IT estates, Quorum Cyber’s Offensive Security team sometimes encounters new or unusual weaknesses.

It recently identified the presence of a Cross-Site Request Forgery (CSRF) vulnerability that impacts the email change functionality of on.aiir.com.

A CSRF is a type of attack whereby a user can be tricked into performing unintended actions in an application. This is usually achieved by enticing them to click a link to a specially crafted web page containing a form which submits a HTTP request to the target application on their behalf.

This account change did not trigger any emails informing the user of this change, meaning the attack might not be identified. An attacker, having set the account email address to one they control, would then be able to use the “Forgotten your Password” functionality to change the account’s password and complete the takeover.

The vulnerable URL was https://on.aiir.com/account and the vulnerable parameters included email.

Proof of concept

The screenshot below shows the original request used to update account details on on.aiir.com, such as the email address. Note the lack of an anti-CSRF token or any other protections against this type of attack.

Figure 1 – Original request showing the email change functionality.

From that request, it was possible to craft a proof-of-concept (POC) code which, when used as a webpage visited by a victim user, would automatically submit a form to trigger an email address change.