diff options
| author | Xe Iaso <me@xeiaso.net> | 2024-09-20 11:24:15 -0400 |
|---|---|---|
| committer | Xe Iaso <me@xeiaso.net> | 2024-09-20 11:24:15 -0400 |
| commit | 2449a494632eeb47738e5c30960926ae48d84ed4 (patch) | |
| tree | a1fcba4431c1a4a38ccc8a2ece3812d931b23729 | |
| parent | 9e79830da22a4eac6a03e9dd8ea66daeb1631946 (diff) | |
| download | xesite-2449a494632eeb47738e5c30960926ae48d84ed4.tar.xz xesite-2449a494632eeb47738e5c30960926ae48d84ed4.zip | |
notes: rushordertees vuln drop
Signed-off-by: Xe Iaso <me@xeiaso.net>
| -rw-r--r-- | lume/src/_includes/base.njk | 4 | ||||
| -rw-r--r-- | lume/src/_includes/blog.njk | 9 | ||||
| -rw-r--r-- | lume/src/notes/2024/rushordertees-total-auth-bypass.mdx | 42 |
3 files changed, 52 insertions, 3 deletions
diff --git a/lume/src/_includes/base.njk b/lume/src/_includes/base.njk index 4cbbadd..af1aa0a 100644 --- a/lume/src/_includes/base.njk +++ b/lume/src/_includes/base.njk @@ -140,7 +140,7 @@ </div> {% endif %} - <div id="sticky-banner" tabindex="-1" class="flex justify-between w-full p-4 border-b border-fg-2 bg-bg-0 dark:bg-bgDark-0 dark:border-fg-2"> + {# <div id="sticky-banner" tabindex="-1" class="flex justify-between w-full p-4 border-b border-fg-2 bg-bg-0 dark:bg-bgDark-0 dark:border-fg-2"> <div class="flex items-center mx-auto"> <p class="flex items-center font-normal"> <span class="inline-flex p-1 mr-3 bg-bg-1 rounded-full dark:bg-bgDark-1 w-6 h-6 items-center justify-center"> @@ -154,7 +154,7 @@ <span>If you're looking for someone like me on your team, I'm available. Check <a href="/resume">my resume</a> and <a href="/contact/">get in touch</a> if you're hiring.</span> </p> </div> - </div> + </div> #} <div class="mt-4 p-2"> {{ content | safe }} diff --git a/lume/src/_includes/blog.njk b/lume/src/_includes/blog.njk index f80d0f1..f562506 100644 --- a/lume/src/_includes/blog.njk +++ b/lume/src/_includes/blog.njk @@ -2,7 +2,14 @@ layout: base.njk --- -<article class="prose dark:prose-invert max-w-none lg:prose-p:max-w-[80ch] lg:prose-p:mx-auto lg:prose-headings:mx-20 lg:prose-blockquote:max-w-[70ch] lg:prose-blockquote:mx-auto"> +<article class="prose dark:prose-invert max-w-none lg:prose-p:max-w-[80ch] lg:prose-p:mx-auto lg:prose-headings:mx-20 lg:prose-blockquote:max-w-[70ch] lg:prose-blockquote:mx-auto lg:prose-li:max-w-[78ch] lg:prose-li:mx-auto"> + <style> + .prose :where(li):not(:where([class~="not-prose"], [class~="not-prose"] *)) { + margin-left: auto; + margin-right: auto; + max-width: 78ch; + } + </style> <h1 class="mb-2">{{title}}</h1> <p class="text-sm text-fg-3 dark:text-fgDark-3 my-1 lg:mx-16"> Published on <time datetime={{date | date("DATE")}}>{{date | date("DATE_US")}}</time>, {{ readingInfo.words }} words, {{ readingInfo.minutes }} minutes to read diff --git a/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx b/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx new file mode 100644 index 0000000..1b252a6 --- /dev/null +++ b/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx @@ -0,0 +1,42 @@ +--- +title: "How to completely bypass authentication on RushOrderTees" +date: 2024-09-20 +desc: Just don't enter a password lol +hero: + ai: "Photo by Xe Iaso, Canon EOS R6mkii, Helios 44-2 58mm f/2" + file: single-grain + prompt: "A photo of a local wild grain plant on a blue sky" +--- + +While evaluating [RushOrderTees](https://www.rushordertees.com/) for a previous employer, an embarrassing security vulnerability was discovered. User accounts created inside their t-shirt designer do not have a password attached to them, allowing anyone to authenticate with only an email address. This allows disclosure of at least this information: + +- Full name on any orders +- Any custom designs +- Order id numbers +- Phone numbers when placing new orders + +This was proven by attempting to log into a RushOrderTees company account using a publicly visible email address. + +## Replication + +RushOrderTees has not acknowledged this issue and it is still trivial to reproduce it today: + +1. Create a new design +2. Attempt to purchase it +3. Save it with a custom name +4. Enter in your email address + +You have now created a RushOrderTees account _without a password attached_. + +## Explanation + +This lapse in security is understandable from a customer acquisition standpoint (every barrier in the way of users paying makes you lose half of your potential customer base), but is fairly inexcusable in 2024. Additionally, by making user accounts only protected with email addresses (public identifiers), this bypasses the entire point of authentication. It is difficult to figure out if this is a design choice or a security issue. + +## Timeline + +- 2024-04-15: Initial contact made to Rushordertees' sales@ and security@ email. The security@ email bounced. +- 2024-04-16: Reduction in scope of the issue and complete replication instructions discovered. +- 2024-04-17: Various other attempts were made to get their attention, all ended in failure. +- 2024-09-20: This bulletin was posted. + +Rushordertees has not acknowledged this bulletin and did not review it prior to publishing. |