Research By: Dikla Barda, Roman Zaikin and Oded Vanunu
Black Friday symbolizes the start of the end of year shopping season. During this period, online shopping is expected to increase rapidly as consumers search for online bargains, visit product comparison sites and generally avoid the hassle of crowded shopping malls.
Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the massively popular AliExpress shopping portal. With more than 100 million customers and $23bn in revenue worldwide, AliExpress, part of the AliBaba Group, is one of the most popular places to shop online.
After discovering the vulnerability, Check Point Researchers immediately informed AliExpress (9th Oct) who, due to taking cybersecurity very seriously, took swift action and fixed it within two days of notification (Oct 11th). This is highly commendable and sets an example to other online retailers.
AliExpress using Coupons to attract new and returning customers to shop on its site. Once customers arrive at the site’s home page, AliExpress often shows them a pop-up overlay and asks them to input their credit card details in order to ensure a more efficient shopping experience. This makes for easy online payment and faster checkouts.
Example of Coupon Pop-Up Overlay:
If an attacker were to find a way to inject code to AliExpress this could abuse the AliExpress logic and create a payload that would look something like this:
Example of Attacker’s Fake Coupon Overlay:
The attack starts by luring the victim into clicking on a malicious link, sent by email for example. The customer would then be taken to the alixpress.com login page. After login, the victim could then be redirected to a page with the injected code implanted in it. A coupon window could then be displayed requesting them to save their credit card details and claim $50.
These credit card details would then be sent directly to the attack server.
Demo of the Attack:
AliExpress contains a lot of websites and sub-domains under the Alibaba Group. We managed to find that ‘us.cobra.aliexpress.com’ reflects the parameter ‘cb’.
Figure 1 With Referer Header
Figure 2 Without Referer Header
AliExpress uses only a simple method to thwart these kind of attacks though. The method involved checking the referer header of the request and if the referer was not set or was incorrect then the request would be denied by the server.
How ‘referer’ Works?
The referer is an HTTP header that identifies the URL of the webpage where the request was requested from. For example, if we will go to blog.checkpoint.com, the referer header will not be set because this is the first time we have opened the web page.
GET /2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/ HTTP/1.1Host: blog.checkpoint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Having done that though, if you click on a link to YouTube, the browser will add the referer header that will tell YouTube that we have come from blog.checkpoint.com.
GET /UR_i5XSAKrg HTTP/1.1Host: youtu.beUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0Referer: https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/
So, if an attacker would send a malicious link on its own to the victim then it will not work! In order to bypass this referer protection then, we needed to use a simple trick.
We had a malicious link that needed to be sent from AliExpress to the victim and not directly by us due to the referer header protection mentioned above. In order to achieve that we looked for links in AliExpress that redirected to a second link in AliExpress, a link that we could replace with our own malicious link.
We found the following redirect link, which ended up with the following payload:
The next step was to create a shorter link for this payload to mask it. To do that we could have used any URL shortener link. For example:
or even a malicious QR code:
Any data that would be inserted to this popup would be sent to the attacker.