CBSSports.com Horizontal Access Control Bypass (Trading Block)

Summary
=========
The CBSSports.com fantasy sports sites did not properly enforce access control between user accounts at the same privilege level within the application. This behavior could be leveraged by an attacker to send Trading Block notifications containing an opposing team's player without the opposing team’s interaction, knowledge, or consent.  

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 08/25/2013
Vendor fixed: 09/26/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

 Affected Products
=================
Confirmed in CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions.  In this instance, a CBSSports.com customer can submit requests to the application on behalf of other legitimate users    .

Impact
=======
A malicious user could send Trading Block notifications containing an opposing team's player without the opposing team’s interaction, knowledge, or consent.  This notification does not originate from the legitimate user's account, but from the malicious user's account.

 Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept
================
The following URL is included as a Proof-of–Concept (PoC). The PoC is designed to execute when a malicious user clicks on the following link 

To reproduce this in your own environment, the proof of concept will need to be modified as detailed below.

http://vanilla.baseball.cbssports.com/transactions/trade/block-data/1796123/-1/-1/-1/-1/1

  1. Change the URL to the target league.
  2. Change the value to the player’s ID number (e.g., 1796123 for Jurickson Profar)

This link, when clicked by a malicious user who currently has an authenticated session to the CBS Sports fantasy league, will update the malicious user's Trade Block with the targeted player, even if they do not own said player.

The site's Trading Block will not display the target player if the malicious user does not own the target player, but email notification updates to league members will include the target player.

Here is a copy of what the request would look like when the malicious user clicks on the link:

GET /transactions/trade/block-data/1796123/-1/-1/-1/-1/1 HTTP/1.1
Host: vanilla.baseball.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Accept: */*
Referer: http://vanilla.baseball.cbssports.com/transactions/trade?selected_app_id=CBS1019
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: <redacted>

Disclosure Timeline
==================
August 25, 2013: Disclosed to vendor (CBS Corporation).
August 26, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible
Disclosure policy was being drafted.
September 26, 2013: Confirmed successful vendor remediations.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013:  Disclosed vulnerability publicly

Christopher Emerson