usd-2022-0051 | Back-Back-Refresh in CPTO 6.3.8.6

Advisory ID: usd-2022-0051
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 613 - Insufficient Session Expiration
Security Risk: Low
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31292
CVE Link: Pending

Description

An attacker can execute a Back-Back-Refresh attack in order to steal the user credentials of a logged out user. The attack is initiated by an attacker, with local access to the victim’s computer, who clicks on the browser's back button after the victim has logged out. By clicking the Try Again and Resend buttons on the resulting Document Expired page the attacker can intercept the cached username and password using the browser’s Web Developer Tools.

Fix

Users should update CPTO to its current version.

References

https://owasp.org/www-pdf-archive/Demystifying_Authentication_Attacks.pdf

Timeline

  • 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
  • 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
  • 2023-04-27: CVE IDs are requested and subsequently reserved.
  • 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
  • 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
  • 2022-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.