Hi all,

I’ve discovered a Cross-Site Scripting (XSS) vulnerability at ZeroSSL web app (https://app.zerossl.com) which may lead to:


– session hijacking


– stealing a certificate private key, provided ZeroSSL has generated one


– stealing a user account password hash

I’ve first emailed ZeroSSL about the issue on 4 Jan 2023 in the morning, they got back to me the same day at noon and promised they’ll investigate.

The thing is, if ZeroSSL has generated a private key (they do so in their web app, they also have an ACME API but that’s not affected), the user


can download the key repeatedly from their site. The private key is stored encrypted in the app and is decrypted in the browser before it’s being


offered for download in a .zip archive. The decryption key is sha256(password + password), is stored in browser’s local storage and… can also be stolen with JavaScript (that was part of my January proof-of-concept link).

Earlier today, I sent a proof-of-concept (PoC) code that demonstrates how to steal a private key for a domain by clicking a link, provided ZeroSSL


has generated the key. After sending the PoC, they have responded this afternoon that they have fixed the XSS but I believe there may be


some more work for them to do.

First, reading Baseline requirements section 4.9.1.1.16 they may need to revoke some certificates because the proof-of-concept consists


of “a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise”.

Second, their users are still one XSS away from losing their private keys as my private-key-stealing PoC still works (you can


paste it to your browser devtools console to simulate an XSS, or find a different XSS if you will).

I’m not going to share the PoC at least not for now, but it’s less than 1kB of JavaScript which I believe


anyone could write and definitely even better than me.

I’m sending this email to create an informal public record of what happened (I’ve been cc’ing some friends who are also members of this list


so there’s a “private record”, sort of) and would like ZeroSSL to self-report a CA Incident as per https://wiki.mozilla.org/CA/Incident_Dashboard


(emailed them the link and the request to self-report an hour ago).

Seems like this is definitely the most interesting XSS I found so far 🙂 You know, don’t stop at alert(1)…

(For transparency: they offered 500 EUR reward for the bug, thanks!)

Thanks,


Michal




https://www.michalspacek.com


https://twitter.com/spazef0rze

Read More