User and Team Impersonation on HackTheBox
Summary
This bug allows an attacker to impersonate any user and team on HackTheBox and it could lead to reputational damage of the victim by posting threads against someone or against to HackTheBox, violating rules or posting/giving out flags.
Reconnaissance
I noticed that HackTheBox supports UTF-8 characters, not just Latin characters but Cyrillic characters as well.
Cyrillic characters can be used to impersonate someone online but it's mostly used for Internationalized Domain Name (IDN) and they called it Homograph Attack.
Checking the list of Hall of Fame, I found a user named @owodelta (https://www.hackthebox.eu/home/users/profile/28238) as the target for this attack.
Luckily, his/her team Cyclone (https://www.hackthebox.eu/home/teams/profile/1219) can be impersonated as well.
I also noticed that HackTheBox Forums uses the username from the platform which means, it is possible to impersonate him/her in forums.
Exploitation? No, Procedure.
Using the cyrillic letter е, I created an account with username owodеlta.
Fake Account
Real Account
Then I submitted root flags of machine to achieve the Hacker rank and create a team with name Cyclonе.
Fake Team
Real Team
Then using the fake HTB account, I also created a fake HTB Forum account.
Fake Forum Account
After creating the account, I commented to one of my threads to check I properly imitated the target's username.
Remediation
HackTheBox team quickly responded to my email. They told me that they
are implementing a filter when creating / updating users / teams, which will ensure not only uniqueness of the name (which we already enforce obviously), but also enforce uniqueness of the username when transliterated to the Latin character set. This means users can still register using Cyrillic characters, but cannot register or update their name when it will conflict with an existing user.
Timeline
| Date & Time | Activity |
|---|---|
| Jan 1, 2019 7:25 AM | Report Submission via Email |
| Jan 1, 2019 7:41 AM | @g0blin (James Hooker) responded to my email. |
| Jan 1, 2019 8:01 AM | I responded to thank them for quick response and told them to keep me updated. |
| Jan 1, 2019 8:37 AM | @g0blin gave me an overview of their mitigation for the bug. |
| Jan 1, 2019 8:39 AM | I responded via email to apologize for making him work during holidays. |
| Jan 1, 2019 9:15 AM | He said "No problem - It was a nice find!" and rewarded me with a unique badge and 1 month VIP Access. |
| Jan 2, 2019 2:42 PM | The fix has been deployed to production. |
| Jan 3, 2019 1:52 PM | I confirmed that the bug is no longer working but told him that I cannot delete the test account on Forums. |
| Jan 3, 2019 4:18 PM | @g0blin said he will handle the deletion of the test account. |
P.S.: I informed the real owodelta about this over Slack.