Skip to main content

CBSSports.com Horizontal Access Control Bypass (Trading Block)

Summary
=========
The CBSSports.com fantasy sports sites did not properly
enforce access control between user accounts at the same privilege level within
the application. This behavior could be leveraged by an attacker to send Trading
Block notifications containing an opposing team’s player without the opposing
team’s interaction, knowledge, or consent. 
 

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 08/25/2013
Vendor fixed: 09/26/2013
Credit: Christopher Emerson of White Oak Security (https://www.whiteoaksecurity.com/)

 Affected Products
=================
Confirmed in CBS Sports Fantasy Football and Fantasy Baseball
properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites
allow authenticated users to perform sensitive actions without verifying that
the user actually invoked the actions.
 
In this instance, a CBSSports.com customer can submit requests to the
application on behalf of other legitimate users
    .

Impact
=======
A malicious user could send Trading Block notifications
containing an opposing team’s player without the opposing team’s interaction,
knowledge, or consent.
  This notification
does not originate from the legitimate user’s account, but from the malicious
user’s account.

 Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept
================
The following URL is
included as a Proof-of–Concept (PoC). The PoC is designed to execute when a
malicious user clicks on the following link
 

To reproduce this in your own environment, the proof of concept will need to be modified as detailed below.

http://vanilla.baseball.cbssports.com/transactions/trade/block-data/1796123/-1/-1/-1/-1/1

  1. Change the URL to the target league.
  2. Change the value to the player’s ID number (e.g., 1796123 for Jurickson Profar)

This link, when clicked by
a malicious user who currently has an authenticated session to the CBS Sports fantasy
league, will update the malicious user’s Trade Block with the targeted player,
even if they do not own said player
.

The site’s Trading Block
will not display the target player if the malicious user does not own the
target player, but email notification updates to league members will include
the target player
.

Here is a copy of what the request would look like when the malicious user clicks on the link:

GET /transactions/trade/block-data/1796123/-1/-1/-1/-1/1 HTTP/1.1
Host: vanilla.baseball.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Accept: */*
Referer: http://vanilla.baseball.cbssports.com/transactions/trade?selected_app_id=CBS1019
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: <redacted>

Disclosure Timeline
==================
August 25, 2013: Disclosed to vendor (CBS Corporation).
August 26, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible
Disclosure policy was being drafted.
September 26, 2013: Confirmed successful vendor remediations.
September 26, 2013: Received vendor’s Responsible Disclosure Policy.
September 30, 2013:  Disclosed vulnerability publicly