Cookie poisoning leads to DoS and Privacy Violation

When the verification goes wrong.

Avatar cookie contains the URL of the avatar image. But what if we change that?

When I was hunting on cs.money, I noticed that the avatar cookie had the url for the user’s avatar on Steam. I changed the cookie to the URL of some other image and I saw that it was loading on the main page.

Until here there is nothing very special. We can load other images rather than the expected one. So what?

Okay, I tried to chat with support and… my request got blocked. After playing around with the cookie value a little bit, I tried to insert part of the steam avatar url as a parameter for my server.

Privacy Violation

Yes, I was right. The server was not checking the URL properly. The back-end verification was something like this (pseudocode):

The right verification should be:

I got a request on my server from the supporter browser. It tries to load the image url by sending a HTTP request to my server. So now I have access to supporter IP Address and User-Agent.

Denial of Service

Now, think. What if instead of the hacker server, we insert the cs.money logout URL? Bingo!

The supporter browser makes a request to the logout URL and disconnect him.

Final thoughts

It is amazing to see how a small flaw, just a wrong verification o avatar cookie, have a impact like that.

Cs.money paid me a $ 500 reward (high impact at support.cs.money). As I had already reported the problem (able to change avatar to another images) and they closed as Not Applicable, they kindly gave me a $200 bonus. You can check my report here.

Let me know if you liked, clap!