Michael Reid • almost 12 years ago
Am I missing something, or is this an enormous security flaw with MintChip? (CSRF vulnerability)
Consider the following simple HTML page, copied to pastebin to preserve formatting: http://pastebin.com/yzJ7sgTh
Assuming the MintChip ID in the action URL is valid, this will immediately attempt to create a value message for 1 cent. What's the problem? This is done with no user interaction at all--and once the value message is created, the money is gone! You can see in the remote Mint Chip management UI that the money is deducted from your mint chip account.
The only thing stopping this from working is if the user is prompted for the client certificate; however, if you've already authenticated the client certificate (by going to remote.mintchipchallenge.com, for instance) and set it to remember your certificate, there will be no prompting at all. I've tested and confirmed this on Firefox and Chrome.
So my question is: what am I missing here? Are end users not supposed to have hosted MintChip accounts? Or is this just a cross-site request forgery exploit that was missed during development?
Comments are closed.