Stored XSS on funda, funda desk and funda emails
Since a few months, my girlfriend and I are looking for a house to buy. The housing market is going crazy in the Netherlands at this moment. Prices go beyond limits and houses are being sold within approximately 2 weeks after being available on the market. One of the best-known sites to search for houses to buy / rent in the Netherlands is funda. Because of a previously reported XSS vulnerability in funda, I started to play a bit more.
Funda was established by the NVM — the largest organisation in the Netherlands in the field of real estate — in 2001 to make offering and viewing real estate as comfortable as possible. With more than 44 million visits per month, funda is (one of) the biggest online real estate platforms of the Netherlands.
Request a viewing
When you do a request for a viewing, you’ll get a confirmation email with the same content you filled in on the form. I think it was our 5th or 6th request when I could not resist myself to append some HTML in the comment field of the form. I wanted to use something which would not directly draw the attention of the estate agent if the HTML got encoded when shown in the email, so I used <img src=x>. After I pressed the submit button, I received the confirmation email;
To prevent email tracking, I have images disabled by default in my email client. This way, I could detect my image straight away! It was shown as a blue square with a question mark since the source “x” was unable to load. So it was clear that the input of the comment field in the Request a viewing form did not get encoded before used in the email templates of funda. Now the question raised “Where else is this information shown?”.
The estate agent
During my previous visits to funda, I noticed the link Funda desk in the footer of the page. Following this link will show you a login page with information about funda desk. Apparently, funda desk is the portal for estate agents to manage their offerings. I asked a well-known estate agent of mine who confirmed that my requests would be shown in funda desk. Unfortunately, he did not have any objects at this time on funda, so I used my socials to find an estate agent wanting to help me out;
Within a couple of days, I found an estate agent and explained in short what I had found out. He gave me the opportunity to comment on an object which was for sale. I chose to use the HTML image tag again but now with a valid source; my Twitter profile picture.
This resulted in the following email in my inbox as a confirmation that my comment was received successfully.
The estate agent confirmed to me that he saw the same image in the notification email he received in his inbox. Next, he checked for me in his funda desk account and sent me a picture of what was shown on his screen…
Gotcha! My suspicions about the possibility of performing a Stored XSS attack were confirmed.
Impact
Huge. Being able to perform a Stored XSS attack would make it possible for me to …
- … potentially steal the logged in estate agent’s cookies (session hijacking);
- … show a custom login form which will send the login details to my server (phishing);
- … perform requests for ordering products on funda desk, charging the estate agent;
- … add / update / delete objects on funda desk.
Responsible disclosure
Time to report my findings to funda. I sent them an email on May 15, 2018, telling that I found a Stored XSS vulnerability and asking them if they had a Responsible Disclosure to comply. A few days later, I called them, since I did not get any response on my email yet. The person regularly handling those kinds of things was not in the office, but he would call me back. So it happened, little under an hour later he called me. At first, he sounded calm, but his voice changed to a serious tone after he heard what I had found. He ensured me that a team of people would look into it right away.
On May 25, 2018, I received a letter that they had confirmed my found vulnerability and were busy fixing it in their platform. As a token of appreciation they included a € 50,- bounty.
I want to thank funda for their cooperation and for giving me the opportunity to share this full disclosure with you!