Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Unauthorized Use of Victim Credit Card

Low
Y
Yelp
Submitted None

Team Summary

Official summary from Yelp

@hk755a reported a clickjacking attack that allowed an attacker to overlay the checkout page (`/checkout/deal`), thereby potentially causing monetary loss for the victim. Yelp was able to deploy an X-Frame-Options header in a short amount of time, and since then, Yelp has deployed a site-wide CSP policy to prevent such clickjacking attacks from occurring.

Actions:
View on HackerOne
Reported by hk755a

Vulnerability Details

Technical details and impact analysis

Privacy Violation
#SUMMARY Yelp user's credit cards are at risk of being compromised There's a way by which a malicious attacker can make unauthorized purchases from the victim's credit card. Just by getting the victim to some external website and clicking on it, the victim would have eventually paid for some unwanted deal unknowingly from his saved credit card on yelp. (Please see the POC which shows a $450 deal) #DESCRIPTION: The endpoint yelp.com/checkout/deal/****?biz_id={}&fsid={} is Framable, which means a sample deal page like this: https://www.yelp.com/checkout/deal/16OJ1G_Ev7STx0HELIDzyA?biz_id=Ydf5dgFsGhMSP61Ht7TekA&return_url=%2Fbiz%2Fbutcher-and-the-burger-chicago Could be embedded as an hidden iframe on some HTML page. Watch the video attached to see how the exploit really looks like. #EXPLOIT SCENARIOS: *The attacker could simply host the exploit page (attached to this report) on some webpage and use social networking sites to share it across the world. One simple way could be spreading it through Yelp's Talk section itself, so as to get valid yelp users easily.* I mainly envision the vulnerability to be exploited in the following ways: ==**1.) Attacker creates a deal himself and uses this vulnerability to steal money from the victim.**== ==**2.) Attacker just goes on causing monetary loss for the victim, with no personal monetary gain.**== #POC *You may want to watch the 1 min video attached with the report* Step 1.) Log into your yelp account on your fresh or incognito browser window. Step 2.) Open the attached "Yelp Credit Card Misuse by framable deals page" Webpage in another window. Step 3.) Click on the slightly visible Purchase button. The vulnerability's exploitation impact is high as it causes unauthorized credit card use of the victim! Do let me know if there are any questions. ## Impact Yelp users credit card protection is certainly compromised. Worthy customer's bear monetary losses. Apart from money the faith of users on yelp for their card's security is also lost leading to customer/business loss to yelp. Such attacks running in the wild, are heavy threat to an organization's reputation.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Privacy Violation