I’ve just found what I believe to be a security hole on the social location site foursquare.com. This security hole will allow an attacker who has access to a compromised mailbox to impersonate the foursquare user without changing their password.
How to do this:
- Get hold of someone’s mailbox
- Go to the change password form on Foursquare
- Fill out the targets email address and press submit
- When the reset password email is sent to the mailbox copy the reset link and delete the email – You don’t want the target to know that you have requested a password reset on their behalf
- Go to the link you copied. Click on the arrow in the top right (by the persons name as shown below). Boom you haven’t altered the password and yet you can impersonate the user.
I was able to do everything a logged in user could do including altering the users settings, viewing their user ID and changing their privacy settings. There is no check to see if the hacker has actually logged in or if they have completed the password reset.
This worries me as I am not a hacker. In fact I came across this issue by accident when I forgot my own password. I have worked in places that would not tolerate how open this back door is. The questions that spring to mind are 1) if this simple check is not in place then what other security measures are they lacking and 2) When was Foursquares last pen test.- Why should a user find this instead of a professional pen tester.
I have tried this on my own account from two computers. Both of which allowed me to get in and alter things.
How to Fix it
- Check that the password has been successfully reset before allowing the user to do anything else.
- Remove the dropdown menu until a user has actually logged in
- When a user wants to change any personal settings about their account get them to include their current password in the request.
Edit: Foursquare has got back to me via Twitter https://twitter.com/4sqSupport/status/313701576789327872. Hopefully they will sort the issue