Case Files: Pusher in Coinbase cookie

In my previous post, we witnessed how a bidding process can be abused in an online auction marketplace.

All of us are guilty of using SaaS services in this cloud era. Our systems use services like Okta for uniauth, Stripe for payments, Sendgrid for email notifications, HubSpot for customer success and Pusher for real-time push-based notifications.

The actors in this story are CoinBase (the popular Bitcoin wallet) and its use of Pusher to dispatch transactional notifications, directed by Amir. Like a typical SaaS vendor, a Pusher account is created by Coinbase leading to the allotment of an API SDK with an auth token. This auth token enabled the API consumer to create/view/export notification (perhaps each with a unique ID).

A normal workflow initiated by a consumer on such a platform would entail

1. Consumer logs in to Coinbase portal using her/his device
2. Coinbase conducts credentials and device verification
3. After (2), Coinbase conducts Pusher authentication
4. Upon successful authentication, Coinbase receives session information from Pusher
5. Coinbase persists Pusher’s session information in its cookie
6. The consumer is now allowed to transact
7. Consumer finally logs out

This workflow was abused using the following technique

The normal process was not followed when the session was terminated and the device unconfirmed

1. At step 7, the Pusher session remained active despite logout.
2. If two tabs were open and logout was initiated from one tab, allowing the malicious user to switch tabs and view notifications of other users.

What are these conditions that led to this flaw to be exploited?

1. Storing of 3rd party vendor’s session information in a cookie
2. Applying necessary rigor to de-auth all active sessions with 3rd party vendors upon logout or timeout action related to a consumer.

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

Sponsorships Available

Sponsorships Available

Sponsorships Available

How can such flaws be identified and thereafter avoided?

Is there a human-assisted expert system available to check your specific application in a specific business line for design flaws that can be exploited?

Yes, such a system does exist. ShiftLeft’s Ocular is a platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application’s codebase.

To request a free trial and demo, please signup at https://www.shiftleft.io/ocular/

Case Files: Pusher in Coinbase cookie was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Recent Articles By Author

• The Optus Breach: How Bad Code Keeps Happening to Good Companies
• Log4Shell : JNDI Injection via Attackable Log4J
• Evolving Threat series — Infiltrating NPM’s Supply Chain (UA-Parser-js)

More from Chetan Conikee

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/case-files-pusher-in-coinbase-cookie-b2ca543e9c99?source=rss----86a4f941c7da---4