From 2449a494632eeb47738e5c30960926ae48d84ed4 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 20 Sep 2024 11:24:15 -0400 Subject: notes: rushordertees vuln drop Signed-off-by: Xe Iaso --- lume/src/_includes/base.njk | 4 +-- lume/src/_includes/blog.njk | 9 ++++- .../notes/2024/rushordertees-total-auth-bypass.mdx | 42 ++++++++++++++++++++++ 3 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 lume/src/notes/2024/rushordertees-total-auth-bypass.mdx diff --git a/lume/src/_includes/base.njk b/lume/src/_includes/base.njk index 4cbbadd..af1aa0a 100644 --- a/lume/src/_includes/base.njk +++ b/lume/src/_includes/base.njk @@ -140,7 +140,7 @@ {% endif %} -
+ {#

@@ -154,7 +154,7 @@ If you're looking for someone like me on your team, I'm available. Check my resume and get in touch if you're hiring.

-
+
#}
{{ content | safe }} diff --git a/lume/src/_includes/blog.njk b/lume/src/_includes/blog.njk index f80d0f1..f562506 100644 --- a/lume/src/_includes/blog.njk +++ b/lume/src/_includes/blog.njk @@ -2,7 +2,14 @@ layout: base.njk --- -
+
+

{{title}}

Published on , {{ readingInfo.words }} words, {{ readingInfo.minutes }} minutes to read diff --git a/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx b/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx new file mode 100644 index 0000000..1b252a6 --- /dev/null +++ b/lume/src/notes/2024/rushordertees-total-auth-bypass.mdx @@ -0,0 +1,42 @@ +--- +title: "How to completely bypass authentication on RushOrderTees" +date: 2024-09-20 +desc: Just don't enter a password lol +hero: + ai: "Photo by Xe Iaso, Canon EOS R6mkii, Helios 44-2 58mm f/2" + file: single-grain + prompt: "A photo of a local wild grain plant on a blue sky" +--- + +While evaluating [RushOrderTees](https://www.rushordertees.com/) for a previous employer, an embarrassing security vulnerability was discovered. User accounts created inside their t-shirt designer do not have a password attached to them, allowing anyone to authenticate with only an email address. This allows disclosure of at least this information: + +- Full name on any orders +- Any custom designs +- Order id numbers +- Phone numbers when placing new orders + +This was proven by attempting to log into a RushOrderTees company account using a publicly visible email address. + +## Replication + +RushOrderTees has not acknowledged this issue and it is still trivial to reproduce it today: + +1. Create a new design +2. Attempt to purchase it +3. Save it with a custom name +4. Enter in your email address + +You have now created a RushOrderTees account _without a password attached_. + +## Explanation + +This lapse in security is understandable from a customer acquisition standpoint (every barrier in the way of users paying makes you lose half of your potential customer base), but is fairly inexcusable in 2024. Additionally, by making user accounts only protected with email addresses (public identifiers), this bypasses the entire point of authentication. It is difficult to figure out if this is a design choice or a security issue. + +## Timeline + +- 2024-04-15: Initial contact made to Rushordertees' sales@ and security@ email. The security@ email bounced. +- 2024-04-16: Reduction in scope of the issue and complete replication instructions discovered. +- 2024-04-17: Various other attempts were made to get their attention, all ended in failure. +- 2024-09-20: This bulletin was posted. + +Rushordertees has not acknowledged this bulletin and did not review it prior to publishing. -- cgit v1.2.3