Stored XSS on funda, funda desk and funda emails

Since a few months, my girlfriend and I are looking for a house to buy. The housing market is going crazy in the Netherlands at this moment. Prices go beyond limits and houses are being sold within approximately 2 weeks after being available on the market. One of the best-known sites to search for houses to buy / rent in the Netherlands is funda. Because of a previously reported XSS vulnerability in funda, I started to play a bit more.

Funda was established by the NVM — the largest organisation in the Netherlands in the field of real estate — in 2001 to make offering and viewing real estate as comfortable as possible. With more than 44 million visits per month, funda is (one of) the biggest online real estate platforms of the Netherlands.

Request a viewing

When you do a request for a viewing, you’ll get a confirmation email with the same content you filled in on the form. I think it was our 5th or 6th request when I could not resist myself to append some HTML in the comment field of the form. I wanted to use something which would not directly draw the attention of the estate agent if the HTML got encoded when shown in the email, so I used <img src=x>. After I pressed the submit button, I received the confirmation email;

The confirmation email of my request.

To prevent email tracking, I have images disabled by default in my email client. This way, I could detect my image straight away! It was shown as a blue square with a question mark since the source “x” was unable to load. So it was clear that the input of the comment field in the Request a viewing form did not get encoded before used in the email templates of funda. Now the question raised “Where else is this information shown?”.

The estate agent

During my previous visits to funda, I noticed the link Funda desk in the footer of the page. Following this link will show you a login page with information about funda desk. Apparently, funda desk is the portal for estate agents to manage their offerings. I asked a well-known estate agent of mine who confirmed that my requests would be shown in funda desk. Unfortunately, he did not have any objects at this time on funda, so I used my socials to find an estate agent wanting to help me out;

Within a couple of days, I found an estate agent and explained in short what I had found out. He gave me the opportunity to comment on an object which was for sale. I chose to use the HTML image tag again but now with a valid source; my Twitter profile picture.

https://pbs.twimg.com/profile_images/800100104715767808/p9R3TNaH_400x400.jpg

This resulted in the following email in my inbox as a confirmation that my comment was received successfully.

The confirmation email of my comment.

The estate agent confirmed to me that he saw the same image in the notification email he received in his inbox. Next, he checked for me in his funda desk account and sent me a picture of what was shown on his screen…

My comment shown to the estate agent in funda desk.

Gotcha! My suspicions about the possibility of performing a Stored XSS attack were confirmed.

Impact

Huge. Being able to perform a Stored XSS attack would make it possible for me to …

  • … potentially steal the logged in estate agent’s cookies (session hijacking);
  • … show a custom login form which will send the login details to my server (phishing);
  • … perform requests for ordering products on funda desk, charging the estate agent;
  • … add / update / delete objects on funda desk.

Responsible disclosure

Time to report my findings to funda. I sent them an email on May 15, 2018, telling that I found a Stored XSS vulnerability and asking them if they had a Responsible Disclosure to comply. A few days later, I called them, since I did not get any response on my email yet. The person regularly handling those kinds of things was not in the office, but he would call me back. So it happened, little under an hour later he called me. At first, he sounded calm, but his voice changed to a serious tone after he heard what I had found. He ensured me that a team of people would look into it right away.

On May 25, 2018, I received a letter that they had confirmed my found vulnerability and were busy fixing it in their platform. As a token of appreciation they included a € 50,- bounty.

I want to thank funda for their cooperation and for giving me the opportunity to share this full disclosure with you!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sander Wind

Sander Wind

Security researcher at Mission CTRL. Developer at Alserda. Bug bounty hunter on Intigriti. https://www.missionctrl.nl