Two critical cross-site request forgery (CSRF) flaws in educational non-profit Khan Academy’s website may have affected some users by allowing account takeover.
Khan Academy, a non-profit learning organization, produces short lessons in the form of videos that can be accessed online. The two critical flaws, which were both resolved shortly after they were reported and were publicly disclosed last week, stemmed from a lack of CSRF tokens, which double-check account log-in requests to make sure they aren’t CSRF attacks.
A Khan Academy spokesperson told Threatpost they resolved the flaw by adding a CSRF token check to the password-change request. The company sought to downplay the vulnerability, saying: “The flaw’s impact was minimal, only possibly affecting a small fraction of our users. A user would have to visit a malicious page to begin with for it to work.”
The spokesperson added, “We take these matters seriously and our team moves swiftly and decisively to investigate and resolve issues as quickly as possible. We will continue to take all appropriate measures to ensure the highest integrity of our systems to protect the data of our learners, volunteers, partners and other stakeholders.”
One of the flaws could have allowed attackers to takeover accounts that were created using the Google or Facebook login option (two options that are available for quick sign-ins using existing Facebook or Google usernames and passwords).
CSRF happens when a malicious website sends a request to a web application that a victim is already authenticated against. This way an attacker can access the functionality in a target web application via the victim’s already authenticated browser. In this case, if a user creates an account using Google or Facebook and does not set an additional password, it is possible to send an HTML request via CSRF to the already-created account and set a new password, according to the researcher.
“When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF,” according to the bounty hunter who discovered the flaw, who goes under the alias “tomoh,” in a HackerOne report.
To be attacked, a victim would need to go to a website where attackers added a line of malicious code somewhere on the site.
The other flaw could have allowed a bad actor to take over any unconfirmed account on Khan Academy.
This glitch exists because the endpoint (/signup/email) allows users to change their email before they confirm their account email.
That means an attacker could obtain a new email address not associated with a Khan Academy account, then lure another Khan Academy user to visit a URL linking to a page, that could then send a post request to the (/signup/email) endpoint.
Because the endpoint is not protected from CSRF, the email change will go through, and the attacker would then be able to take over the unconfirmed account using password reset. Making matters worse, “The original user would not be able to reclaim account since the original email is now not associated with any KA account,” the researcher said.
He added, “And since unconfirmed users can participate in most activities on the website, this could lead to leakage of personal info. Since this [account takeover] does not require any knowledge of the user’s email address or KAID, it would become possible to launch large-scale attacks by posting malicious links on forums or other places on the internet that KA users would visit.”
This second flaw was reported via HackerOne on April 15; and fixed on April 16.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.