A Data Exfiltration Attack Scenario: The Porsche Experience

2023-07-28 11:48

What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration.

Typically, to be able to perpetrate a CSRF attack from an attacker's-controlled website the victims' web browsers must automatically include the jwtToken cookie in the API requests.

Any website served from a subdomain of porsche.com using HTTPS is considered "Same Site", and the jwtToken is automatically included by web browsers in requests to the API. Then, all we need to exfiltrate data from the API is to find a way to lead a Porsche website to issue API requests to our target API, sending the response to a server controlled by us.

To exfiltrate data from the API to a remote server, controlled by us, we needed a more complex JavaScript logic.

To make the attack a bit sturdier, after that we will redirect the browser to the Porsche Experience website.

Although this proof-of-concept focuses on profile data exfiltration the loaded JavaScript script could include other logic to retrieve additional data from the GraphQL API or perform actions on victims' behalf.

News URL

https://thehackernews.com/2023/07/a-data-exfiltration-attack-scenario.html

#attack #exfiltration