How I found a persistent XSS affecting thousands of career sites

labsdetectify

Our guest blogger and Detectify Crowdsource hacker ak1t4 explains how he discovered and reported a persistent XSS vulnerability on Teamtailor that affected over thousands of career sites – including Detectify’s external career site. Teamtailor patched the vulnerability within one day after the issue had been reported. A huge thank you to our Crowdsource researcher ak1t4 and to Teamtailor for acting on the information right away. This is a great example of how companies can benefit from allowing the white hacker community to help them with their knowledge!

Detectify’s comment: Please note that the persistent XSS did not give the researcher access to Detectify’s main site or client database. Also note that Team Tailor does not have a Bug Bounty program, but you can reach out to them on support[at]teamtailor.com.

About the Detectify Crowdsource researcher

My name is ak1t4, I’m from Argentina. My background is in Network Engineering, but I have never worked directly with security until Bug Bounty came into my life. Since then, I have hacked Google, Uber, Twitter,  and other well-known companies. I have also been a member of Detectify Crowdsource since December 2016.

 

LET’S GO TO THE HACK!

*Information Gathering:

One of these days when I was a bit bored, I decided to take a shot with detectify.com. I used sublister.py to go through some of their subdomains: what I got was:

One of these domains grabbed my attention; “career.detectify.com”, which was pointing to -> detectify.teamtailor.com

Aha! and.. what is Teamtailor?

Excerpt from their website: “All-in-one solution for all your recruitment needs. Everything you need to recruit successfully. Attract candidates and market your workplace at the same time. It doesn’t get any easier than this.”

 

I checked it out, and it’s an awesome app for recruiting, it looks very nice and is easy to use. I created an account on Teamtailor.com and started playing around with the application … it’s a really great app! I created users, and performed actions like recommend candidates for a job, create candidate profiles, etc.

 

After a few hours looking around using my account and profile, I found a feature that grabbed my attention – a “share” profile feature with an URI like this:

https://xxxx.teamtailor.com/shares/LZHstXPRuGA0xXb2FOmRzA/151251-ak1t4-haxor

(On this URI we can see the domain, the path and hash string, which is the user page content, for example: a job candidate profile.)

 

I started looking at some cross-domain issues and tried to exploit them. After a couple of tests, I found that Teamtailor wasn’t validating the shared profile with the owner of the domain. I decided to use this issue to inject my own content profile (hash) directly into the career.detectify.com domain, and the action was successful! I was able to replace their existing career site with my Teamtailor profile.

 

Now, let’s execute some javascript

I put some javascript into the profile to trigger a popup on the hacked domain. The Linkedin URL input option was filled with this payload: “javascript:alert(document.domain);//http://someurl.com

Clicking on the LinkedIn link would run the Javascript without validating whether the link was actually a proper http(s): link to LinkedIn.

Now, guess what? Detectify’s career site was hacked!

This made my day! Let’s submit a report to the Detectify team!

 

But.. wait!  If this works  for career.detectify.com, could it also on the other sites managed by Teamtailor?   Well … let’s try some DNS hijacking! I tried with some random sites and look what happens..

Wow! It worked! So, now.. let’s do a massive reconnaissance and try some Google dorks to see how many sites are behind and managed by Teamtailor DNS servers:

19.400 results? Wow! Let’s dig a bit further to see if there are any branded domains too:

YES! At this point, I have hacked Detectify’s career site and many more career sites! 

Detectify’s response

The first thing that I did was to contact Frans Rosén from Detectify on Twitter to show him the issue. Then I contacted the Detectify team by email so that they could handle the issue, and help me reach out to Teamtailor.

The Detectify Team moved very, very fast! They nulled their subdomain the same day the issue was reported. Great to see that it was fixed in just 1 day!

Detectify reached out to Teamtailor on my behalf to report the issue, and they fixed it within a day.  

Thanks to the amazing Detectify team for handling this in amazing way, especially thanks to Frans Rosén, Johan, and Yasmin who are very kind people and awesome professionals too 🙂

 

I wish you good hunting and Go hack yourself! 🙂

 

Timeline

4 June 2017 — Initial Discovery

4 June 2017 — Reported

5 June 2017 — Escalated by Detectify

5 June 2017 — Patched & Fix Confirmation from Teamtailor team

 

Are you interested in joining ak1t4 and other security researchers on Detectify Crowdsource?  Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we explain what we look for in a Detectify Crowdsource hacker

 


 

About the author:

My name is ak1t4 and I’m from Argentina.  My background is in Network Engineering and I have recently started working more with security and bug bounties. For me hacking is a way of life, create and observe things. Hacking is observation with attention and  presence, looking at behaviors, playing around a little and trying to change that behavior to something else. Always do things for fun. If it’s not fun? Just don’t do it!  Hacking needs to be fun! Happy Hacking!

Contact: 
https://hackerone.com/ak1t4
https://www.facebook.com/ak1t4hax0r