UbiSoft - Store MiTM Vulnerability

Finding

UbiSoft have an online store which allows one to purchase their games. However a vulnerability was found which allow for an attacker with Man in The Middle (MiTM) to alter the login page when a user check's out their purchase.

Since the store was initially servered over plain HTTP, and attacker with MiTM would be able to alter the content on the page. When a user has finished selecting their items for purchase, they have the option to view their cart, of which the link is to https://store.ubi.com/uk/checkout:

ubisoft1-1

However an attacker can change the link to http://store.ubi.com/uk/checkout:

ubisoft2-1

This took the victim to the checkout page over plain HTTP. One of the calls made when loading the checkout page is a call to what appears to be a REST service, http://store.ubi.com/on/demandware.store/Sites-uk_ubisoft-Site/en_GB/UPlayConnect-GetAPISettingsJson. The response contains the URLs to call for the login iFrame on the next page:

ubisoft3

The attacker could alter these URLs to instead load their spoofed login page:

ubisoft4

And then rendered in the user's browser:

ubisoft5

Another exmaple showing a different "spoofed login details" section:

ubisoft6

Resolution

Issue has been resolved.

Vendor Notification

  • 20 December 2017 - Contacted UbiSoft via Twitter asking for appropriate channel to report security issue.
  • 20 December 2017 - Received response from UbiSoft and passed appropriate details onto the vendor.
  • 21 December 2017 - Informed by UbiSoft the issue was verified and team would be working on a fix.
  • 11 January 2018 - Prompted for an update, none received.
  • 17 January 2018 - Prompted again for an update, none received.
  • 30 January 2018 - Confirmation from UbiSoft that the issue has been resolved.
Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.