Server Side

Server related posts

Security hole found in Foursquare

Written by: Peter Fisher on March 17, 2013
Tagged under:
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

I’ve just found what I believe to be a security hole on the social location site foursquare.com. This security hole will allow an attacker who has access to a compromised mailbox to impersonate the foursquare user without changing their password.

How to do this:

  1. Get hold of someone’s mailbox
  2. Go to the change password form on Foursquare
  3. Fill out the targets email address and press submit
  4. When the reset password email is sent to the mailbox copy the reset link and delete  the email – You don’t want the target to know that you have requested a password reset on their behalf
  5. Go to the link you copied. Click on the arrow in the top right (by the persons name as shown below).  Boom you haven’t altered the password and yet you can impersonate the user.
If you have someones mailbox then you impersonate them on foursquare

Impersonating a Foursquare user without resetting their password.

 

I was able to do everything a logged in user could do including altering the  users settings, viewing their user ID and changing their privacy settings. There is no check to see if the hacker has actually logged in or if they have completed the password reset.

This worries me as I am not a hacker. In fact I came across this issue by accident when I forgot my own password. I have worked in places that would not tolerate how open this back door is. The questions that spring to mind are 1) if this simple check is not in place then what other security measures are they lacking and 2) When was Foursquares last pen test.- Why should a user find this instead of a professional pen tester.

I have tried this on my own account from two computers.  Both of which allowed me to get in and alter things.

How to Fix it

  1. Check that the password has been successfully reset before allowing the user to do anything else.
  2. Remove the dropdown menu until a user has actually logged in
  3. When a user wants to change any personal settings about their account get them to include their current password in the request.

Edit: Foursquare has got back to me via Twitter https://twitter.com/4sqSupport/status/313701576789327872. Hopefully they will sort the issue

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

Peter Fisher is a web developer working in Gloucester UK. Founder of the digital agency Websomatic, author of this blog and the HowToCodeWell Youtube channel. Peter has over ten years of web development experience under his belt

Read all about Peter Fisher

Leave a Reply

Your email address will not be published. Required fields are marked *