Earlier this year I was working on a MailChimp integration for my “Real Job” and spent the evening poking around their application. I found a few small things that, when combined, allow a man-in-the-middle to view a user’s entire MailChimp account data (including a lists of their subscribers and campaigns).
Cross Site Request Forgery
I first noticed that the account data export endpoint had no CSRF protections. The following HTML, served from any website, would trigger an export for users who are logged into MailChimp.
<img src='https://us9.admin.mailchimp.com/account/export-confirm' />
Endpoints that change state should use CSRF protections to validate that requests were the result of an authentic, user-initiated, action.
Once an account export job has completed, an email is sent to the user that contains a link to a ZIP file with their data. The link…
does a 302 redirect to…
The file is actually served of
HTTP even though the MailChimp link was
HTTPS. This allows a MITM to view all data from the account export.
export-fetch URL should redirect to the
HTTPS variant for Amazon S3 URLs:
Putting it together
I noticed that the link to download the export (
HTTP page was able to trigger an account export and an automatic download of the ZIP over
- CSRF protections are necessary on all endpoints that change state. This is actually a fairly easy mistake to make even with modern web frameworks with built-in CSRF protections.
HTTPSAll the things!
- I got a sweet laptop sticker!