A security researcher who goes under the name ‘tomoh’ uncovered two critical cross-site request forgery flaws in Khan Academy website.
The first vulnerability
The first vulnerability could allow an attacker to take over accounts that were created using the Google or Facebook login option.
The researcher noted that when an account is created using the Google or Facebook login option, and an additional password is not set, the attackers can reset their password via CSRF and take over the account.
The second vulnerability
The second vulnerability could allow attackers to take over an unconfirmed account. This vulnerability stemmed from the flaw in the endpoint that allows users to change their email before they confirm their account email.
This implies that an attacker could obtain a new email address not associated with a Khan Academy account, then lure another Khan Academy user to visit a URL linking to a page, that could then send a post request to the (/signup/email) endpoint for a password reset.
And since the endpoint is not protected from CSRF, an attacker could initiate password reset and takeover an unconfirmed account.
“And since unconfirmed users can participate in most activities on the website, this could lead to leakage of personal info. Since this [account takeover] does not require any knowledge of the user’s email address or KAID, it would become possible to launch large-scale attacks by posting malicious links on forums or other places on the internet that KA users would visit,” the researcher described.
Both the vulnerabilities were reported via Khan Academy’s HackerOne bug-bounty program. Khan Academy fixed both the vulnerabilities by adding a CSRF token check to the password-change request.
"We take these matters seriously and our team moves swiftly and decisively to investigate and resolve issues as quickly as possible. We will continue to take all appropriate measures to ensure the highest integrity of our systems to protect the data of our learners, volunteers, partners and other stakeholders,” a spokesperson for Khan Academy said, Threat Post reported.