As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the vulnerability, I would like to take this opportunity to discuss the vulnerability I detected in this blog post.
A few months ago, I purchased a few items from the AliExpress website. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert in AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally and without, of course, harming the system or its users.
After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the “Contact Now” feature; this feature can be abused by a malicious buyer who could send a message to the seller containing a malicious payload.
As soon as I reached my conclusion, I needed to get in touch with the AliExpress security team in order to make them aware of the problem and allow them to fix it. Over the period of a month I made several attempts to contact them, however, unfortunately, I did not receive any response by email, and could not get the security team’s email address via the online support. Next, I started to ask for help via social media networks (in order to contact AliExpress), where I came across a person called Amitay Dan, who claimed to have discovered yet another vulnerability and that he had also tried to contact AliExpress, but did not receive a satisfying response either.
It is important to emphasize that my intention from the start was to contact AliExpress and to report the security breach to them personally so they can fix it, out of genuine concern that AliExpress users all over the world, including myself, should be able to use a properly secure website. Only after numerous unsuccessful attempts to reach their support, did I look for further assistance in the social media.
In the last few days, after Amitay & I were interviewed by the local Channel 10 News station, the news about us exposing security vulnerabilities in AliExpress had spread in the media all over the world.
Finally, we managed to get in touch with an AliExpress representative via the AliExpress – Israel fan page on Facebook, who connected us with the relevant contacts in AliExpress in order to prove and explain the security breaches that we detected.
I must say, that as soon as initial contact with AliExpress was made, they took this issue very seriously and we received an official message stating that the vulnerabilities we detected were fixed within two days. After receiving this message, I of course tested it myself, and I can indeed confirm that the vulnerability I found is now fixed.
The vulnerability I detected is persistent XSS (Cross-Site-Scripting), which allows an attacker to inject malicious HTML/JS code into message content, so when a seller opens a message or even just opens the message center, the malicious script will be executed on the seller’s browser. In this way, the attacker could potentially take over accounts and steal data from the victim’s account. The following actions can be achieved by using an XSS attack:
- Steal the user’s session cookie
- Read responses from the server
- Perform applicative actions
- Turn on the user’s webcam and spy on him
- Conduct a phishing attack in the trusted context of the vulnerable website to steal the user’s password or other sensitive data. The attack could create an HTML layer above the website content with a submit form and ask the user to fill it in.
- Many more scenarios are possible…
The following is a possible attack scenario:
- An attacker sends a message to a store via the “contact now” feature and injects a malicious script into the message content.
- The seller browses to the AliExpress message center.
- The malicious script is executed on the seller’s browser, which can then lead to any of the above described exploit scenarios (depending on the script’s content).
A skilled hacker could easily exploit this vulnerability and perform a well targeted attack, by sending malicious messages to many or even all of AliExpress sellers, and in this way might cause a great damage to the AliExpress website or to AliExpress users.
A Proof of Concept (PoC) video can be found at the following link:
Read more about the story, as told in different media sources: