Although most of the information on this blog post was taken from a blog post published by STR on their Medium blog, it is still relevant and important to note the information disclosed, especially for those in the online marketing industry. The blog post about this information disclosure vulnerability was written by Ben Van Vliet, a computer security researcher and Microsoft MVP. The blog post was originally published on the 16th of May, 2019 and was written with the intention of informing online businesses about how their online account manager systems can be exploited to gain unauthorized access to their accounts. The vulnerability that Ben discovered can be exploited by attackers to gain access to account management systems where the attackers can then change account settings and make other changes to the businesses’ accounts. These changes can be made without the account holders’ permission and could lead to the businesses receiving scam emails, fraudulent charges being made on their accounts, and other problems.
What is an Account Manager?
An account manager is a software system that allows companies to manage their employees’ online accounts. These systems can also be used to send emails, edit documents, and even manage social media profiles for the business.
What is a Managed Account?
A managed account is a type of account that is owned and maintained by an external organization, such as the business. This means that the business does not maintain all settings for the managed account, but leaves it up to the external organization to do so.
This vulnerability can be exploited by attackers who gain unauthorized access to the managed accounts’ settings pages. The attacker would then change settings such as email settings, shipping addresses, billing addresses, or any other sensitive information that they can obtain from the account's password reset page or through another vulnerability.
Background Information
"If you use the web, chances are good that you've been a victim of account takeover. These hacks can occur when attackers gain access to an organization's login credentials and then change settings on the account without authorization. They can also send fraudulent emails, make changes to accounts that result in charges being made or payments being requested, and more."
How Online Account Manager Systems Can Be Exploited
Online account manager systems are the main way that businesses can manage their social media, email, and other accounts. These systems are typically accessed through a web portal where the business can monitor their accounts. If a business allows third-party logins to these portals, attackers could enter their account management system and make changes without having to be authorized by the account holder.
What is the Account Manager Vulnerability?
The vulnerability that Ben discovered is one in how online account managers allow for changes to be made to the accounts. Ben noticed that many online marketing companies, as well as a lot of other businesses, use account managers to handle their customer service needs and make a lot of changes to them. This includes making changes to password policies and other settings on the account. Unfortunately, it appears that there was a lack of control on when these changes were being made which could have been exploited by attackers.
Timeline
Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/11/2022 19:16:00 UTC