Hi all,
I've discovered a Cross-Site Scripting (XSS) vulnerability at ZeroSSL web app (https://app.zerossl.com) which may lead to:
- session hijacking
- stealing a certificate private key, provided ZeroSSL has generated one
- stealing a user account password hash
I've first emailed ZeroSSL about the issue on 4 Jan 2023 in the morning, they got back to me the same day at noon and promised they'll investigate.
The thing is, if ZeroSSL has generated a private key (they do so in their web app, they also have an ACME API but that's not affected), the user
can download the key repeatedly from their site. The private key is stored encrypted in the app and is decrypted in the browser before it's being
offered for download in a .zip archive. The decryption key is sha256(password + password), is stored in browser's local storage and... can also be stolen with JavaScript (that was part of my January proof-of-concept link).
Earlier today, I sent a proof-of-concept (PoC) code that demonstrates how to steal a private key for a domain by clicking a link, provided ZeroSSL
has generated the key. After sending the PoC, they have responded this afternoon that they have fixed the XSS but I believe there may be
some more work for them to do.
First, reading Baseline requirements section 4.9.1.1.16 they may need to revoke some certificates because the proof-of-concept consists
of "a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise".
Second, their users are still one XSS away from losing their private keys as my private-key-stealing PoC still works (you can
paste it to your browser devtools console to simulate an XSS, or find a different XSS if you will).
I'm not going to share the PoC at least not for now, but it's less than 1kB of JavaScript which I believe
anyone could write and definitely even better than me.
I'm sending this email to create an informal public record of what happened (I've been cc'ing some friends who are also members of this list
so there's a "private record", sort of) and would like ZeroSSL to self-report a CA Incident as per https://wiki.mozilla.org/CA/Incident_Dashboard
(emailed them the link and the request to self-report an hour ago).
Seems like this is definitely the most interesting XSS I found so far :-) You know, don't stop at alert(1)...
(For transparency: they offered 500 EUR reward for the bug, thanks!)
Thanks,
Michal
--
https://www.michalspacek.com
https://twitter.com/spazef0rze
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/909978403.20230119174530%40michalspacek.cz.
Also to confirm their system generates a private key/certificate on the server and then offers it up as a ZIP file for download correct?
If the Subscriber Certificate will contain an extKeyUsage extension containing either the values id-kp-serverAuth [RFC5280] or anyExtendedKeyUsage [RFC5280], the CA SHALL NOT generate a Key Pair on behalf of a Subscriber, and SHALL NOT accept a certificate request using a Key Pair previously generated by the CA.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa396K26Lwr-AH5yvZh9y-JphU9dHAnUrn_bKd2rp2j6nsw%40mail.gmail.com.
Hello all,
There may be some confusion about who ZeroSSL is, which should probably be cleared first. To my best knowledge, ZeroSSL is not a certificate authority. Rather, they appear to be a reseller for Sectigo. I can not say this for certain, but based on experiments I presume that:
- ZeroSSL's (intermediate) certificate and corresponding key material is owned and controlled by Sectigo. It is listed as one of their certificates in scope for audit and CP/CPS: https://github.com/sectigo/ca_certificate_lists/blob/main/audit/list_for_audit.csv
- Domain validation for "ZeroSSL-issued" certificates is
performed by Sectigo as well. CAA records for ZeroSSL have to
include only Sectigo. In addtion, some IP addresses used by
ZeroSSL's ACME HTTP-01 validation originate from AS48447 / Sectigo
Limited.
If this is correct, any key material generated by ZeroSSL is not
generated by a CA and hence not a BR violation. If ZeroSSL is not
a CA, they might also not monitor this list, nor may they be able
to open a CA incident report. In this case, any CA concerns would
have to be directed to the CA, Sectigo.
Thanks,
Max
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O9eSAkssoD%3Dtq-PqdKAbeB7ZbQ6_WCUbnkFa7GBe7wrRA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/aeef5be8-cb21-2350-d714-4cf171da11bc%40germancoding.com.
All, we’re just acknowledging that Sectigo is aware of this thread and monitoring it. We are in touch with ZeroSSL and will follow up with a more detailed response from our end in the first half of next week.
All,
We have been following this thread and have also been in direct contact with ZeroSSL since this report became public.
With all that has been discussed, we are satisfied with the way ZeroSSL has been handling this vulnerability, investigation and disclosure.
Since the method of key generation has been discussed in the past, we do not believe there is any need for us to take action at this time.
Regards,
Martijn