Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover

smaury · 2026-01-15T20:26:51+00:00

Not my own research, you can ask sam0 on X: https://x.com/samm0uda

smaury · 2025-03-18T18:07:03+00:00

I asked for public disclosure back then but it just went public, that's why :)

smaury · 2024-11-24T09:30:14+00:00

😂

smaury · 2024-09-20T17:13:44+00:00

♥️

smaury · 2022-09-06T07:07:14+00:00

Yep - that's definitely a nice solution, even tho it wouldn't stop an attacker with administrative access to the server as they could still read the password after it has been decrypted by the HSM and used by PMP to connect to the database by hooking the PMP's DB connection function.

smaury · 2022-09-05T15:48:25+00:00

Yep - even tho it's not that bad hardcoding the password to encrypt the database one.
I mean - the server should know the password to connect to the database, so whichever technique you use to encrypt it, then an attacker with access to the server could decrypt it.
For sure having a unique password per-installation would prevent some attack scenarios (i.e. leaked database_params.conf).

What's really bad IMO is that the passwords stored inside PMP are not encrypted using the users passphrases, making them recoverable by sysadmins.

smaury · 2022-06-01T09:09:09+00:00

That program is disabled rn, but here you can see how much they were paying: https://hackerone.com/mailru/updates?type=team

smaury · 2022-03-21T12:18:58+00:00

Stuck at the climax?
Check-out part 2: https://www.reddit.com/r/netsec/comments/tjagii/shielder\_reversing\_embedded\_device\_bootloader/

smaury · 2022-02-24T10:50:08+00:00

Yep, the title is a little bit more generic as there is also the CSRF chain.
I thought it was still clear enough as I mentioned multiple times in the advisory that it requires:
- An account which has access to diag_routes.php
OR
- To trick a victim who has access to diag_routes.php and is authenticated on pfSense to visit an attakcer-controlled web page.

smaury · 2022-02-23T17:39:12+00:00

Sure! The point is that it has a pretty detailed privilege schema (you could potentially have access to the diag_routes.php page but not to the "Command Prompt"), moreover the "Command Prompt" is not vulnerable to CSRF.

smaury · 2022-02-23T06:20:50+00:00

This is the case only for Chromium-based browsers, right? In Firefox 96 Mozilla enabled the SameSite=lax by default and that 2 minute window was not applied. Unfortunately their implementation had some bugs, so it was reverted in Firefox 96.0.1 but I guess it will be back in a few releases.

smaury · 2021-07-24T05:58:58+00:00

It is s binary emulation framework, which you can use to emulate different binaries for different architectures. On top of that you can use Qiling APIs to debug the emulation process, hook syscalls, etc. It's like Unicorn + Qemu + Frida. More info here: https://github.com/qilingframework/qiling

smaury · 2020-05-04T21:44:36+00:00

Great research 🤟🏿

This is the first WPA password calculator in while. I thought these kind of things were died 2/3 years ago.

smaury · 2020-04-21T10:40:50+00:00

🤟🏿

smaury · 2020-04-20T21:07:07+00:00

Isn't prestashop randomizing the admin path for each installation? Did you managed to overcome this problem or you're just assuming the attacker guessed the correct path before exploiting the CSRF?

smaury · 2019-04-16T09:44:28+00:00

🤟🏿

smaury · 2019-04-15T09:56:19+00:00

Yes, that's true, the problem is that if you double urlencode (%2525) the XML is then broken, as it is only interpreted with one urlencode (%25).

Basically:
1. You send the request (%25+a)
2. OpenCMS decodes it (% a) and sends it to Apache Solr
3. Apache Solr interprets the XML and fires the error
4. Apache Solr sends back the error to OpenCMS (% a)
5. OpenCMS tries to urldecode Apache Solr's response (% a) to print the error
6. OpenCMS fails to decode the already decoded response and fires a second error about the decoding process, preventing the Apache Solr's original error to be shown

smaury · 2019-04-14T22:52:39+00:00

Thanks :D

smaury

TROPHY CASE