Search This Blog

Powered by Blogger.

Blog Archive

Labels

Live XSS Flaw Exists in DMCA-dot-com

A DMCA-dot-com XSS flaw reported in 2020 is still live today.

 

The user interface of the takedowns website DMCA-dot-com has an active cross-site scripting (XSS) vulnerability. It's been there for almost a year and has not been addressed. 

After more than a year of attempting and failing to convince DMCA-dot-com to take the XSS seriously, Infosec researcher Joel Ossi, founder of Dutch security firm Websec, disclosed his findings. "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface that allowed him to create an XSS. 

A copyright takedown service is DMCA-dot-com. Users pay the site to conduct the time-consuming task of obtaining an alleged copyright infringer's work to be removed from the Internet utilising the infamous US Digital Millennium Copyright Act. The cost of a takedown could be as high as $199. 

On a video conference with The Register, Ossi shared his findings in real-time. The typical XSS tell-tale — a popup with a personalized message – displayed every time he navigated to a new webpage in the DMCA-dot-com user area. The script for doing so was actually fairly straightforward: When he originally discovered the flaw in late 2020, he spent a year attempting and failed to obtain the attention of the operators of DMCA-dot-com. 

DMCA-dot-last com's message to Ossi stated, "Our development team will be reaching out if / when they need to. Our support department cannot help you on this," as he tried to persuade helpdesk staff to forward his vulnerability report. When he asked for a bug bounty, El Reg confirmed that Ossi had made complete confidential disclosure of his discoveries before addressing the issue of payment.

Both Ossi and The Register attempted to contact DMCA-dot-com several times and in The Register's instance, the company didn't even respond to the attempts to reach them. While Ossi was the first to discover the XSS flaws in DMCA-dot-com, he isn't the only one. Two different entries on the Open Bug Bounty site, one from April and the other from June, indicate XSS vulnerabilities in DMCA. 

Cross-site scripting vulnerabilities, let a malicious person run scripts on another person's website. The problem often exists because free text entry forms do not sanitize user inputs, as per MITRE. An attacker could gain access to a DMCA-dot-com account by extracting active login tokens from cookies. According to Ossi, it wouldn't take much to falsely bill for services, remove DMCA-dot-com's security features from a webpage, or delete an account. 

Jake Moore, a global cybersecurity advisor to infosec firm ESET, told The Register: "Cross-site scripting vulnerabilities can allow an attacker to masquerade as a standard user and carry out any actions that the user is able to perform such as access the user's data. User accounts can then ultimately be compromised and credentials or other information could be stolen with great ease." 

Immersive Labs' app security specialist Sean Wright further added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client-side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

It's anticipated that someone at DMCA-dot-com pays attention to the flaw disclosure from a year and a half ago.
Share it:

Bug Bounty

Bugs

Data Hacking

data security

Flaws

Research

Site security

Vulnerabilities and Exploits

XSS Flaw