https://groups.google.com/a/ccadb.org/g/public/c/kqtoGeEv5Fc [logo_group]Groups Conversations All groups and messages [Search conversations][ ] Send feedback to Google Help Sign in Groups CCADB Public Conversations About Privacy * Terms ZeroSSL: XSS leading to session hijacking, stealing a private key (and a password hash) 1521 views Skip to first unread message Michal Spacek's profile photo Michal Spacek unread, 12:06 PM (6 hours ago) 12:06 PM Reply to author Sign in to reply to author Forward Sign in to forward Delete You do not have permission to delete messages in this group Link Report message as abuse Sign in to report message as abuse Show original message Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message to CCADB Public Hi all, I've discovered a Cross-Site Scripting (XSS) vulnerability at ZeroSSL web app (https://app.zerossl.com) which may lead to: - session hijacking - stealing a certificate private key, provided ZeroSSL has generated one - stealing a user account password hash I've first emailed ZeroSSL about the issue on 4 Jan 2023 in the morning, they got back to me the same day at noon and promised they'll investigate. The thing is, if ZeroSSL has generated a private key (they do so in their web app, they also have an ACME API but that's not affected), the user can download the key repeatedly from their site. The private key is stored encrypted in the app and is decrypted in the browser before it's being offered for download in a .zip archive. The decryption key is sha256 (password + password), is stored in browser's local storage and... can also be stolen with JavaScript (that was part of my January proof-of-concept link). Earlier today, I sent a proof-of-concept (PoC) code that demonstrates how to steal a private key for a domain by clicking a link, provided ZeroSSL has generated the key. After sending the PoC, they have responded this afternoon that they have fixed the XSS but I believe there may be some more work for them to do. First, reading Baseline requirements section 4.9.1.1.16 they may need to revoke some certificates because the proof-of-concept consists of "a demonstrated or proven method that exposes the Subscriber's Private Key to compromise". Second, their users are still one XSS away from losing their private keys as my private-key-stealing PoC still works (you can paste it to your browser devtools console to simulate an XSS, or find a different XSS if you will). I'm not going to share the PoC at least not for now, but it's less than 1kB of JavaScript which I believe anyone could write and definitely even better than me. I'm sending this email to create an informal public record of what happened (I've been cc'ing some friends who are also members of this list so there's a "private record", sort of) and would like ZeroSSL to self-report a CA Incident as per https://wiki.mozilla.org/CA/ Incident_Dashboard (emailed them the link and the request to self-report an hour ago). Seems like this is definitely the most interesting XSS I found so far :-) You know, don't stop at alert(1)... (For transparency: they offered 500 EUR reward for the bug, thanks!) Thanks, Michal -- https://www.michalspacek.com https://twitter.com/spazef0rze Reply all Reply to author Forward 0 new messages Search Clear search Close search Google apps Main menu