On the day that the company started a PR push for the Zscaler Application Profiler (ZAP), using a Cross-Site Scripting (XSS) flaw discovered in ESPN’s ScoreCenter mobile application as a case study, an email started circulating detailing a XSS flaw on Zscaler’s very own website.
On Friday afternoon, SecurityWeek received an anonymous email from someone who discovered a XSS flaw in the password reset function of Zscaler’s website.
Zscaler is a San Jose, California-based company that provides cloud-based security to enterprises.
“Today zScaler released a press release concerning cross-site scripting (XSS) vulnerabilities on the ESPN website. zScaler is ignoring the proverb that those who live in glass houses shouldn't throw stones,” says the email, quoted here in an unedited form.
“Despite their claims of 'Secure. Everywhere', zScalers own service contains multiple similar vulnerabilities to those they highlight on ESPN. The most egregious of these is a trivial cross-site scripting vulnerability on the zScaler login page. Using this vulnerability allows for the theft of zScaler sessions, and combined with another undisclosed vulnerability in their site can be used to steal login credentials for any of zScalers 10 million users worldwide.”
We cannot confirm the email’s claim on the number of potentially exposed customers, or the abilty to steal credentials, as the demonstrated XSS likely only exposes basic user accounts on the main domain, but the flaw itself is valid.
Zscaler’s website says that it currently secures 10 million users in 180 countries, and that more than 3,500 global enterprises use its cloud solutions.
SecurityWeek contacted Zscaler, which did acknowledge the vulnerability, but downplayed the danger that it brings.
"Zscaler tested the link and can confirm that the page identified does contain a reflected XSS vulnerability," Michael Sutton, VP of Security Research at Zscaler told SecurityWeek.
"Fortunately, it is a on a pre-auth page for a domain that is part of the login process, not the admin console, therefore exploitation of the XSS would not allow an attacker to obtain the authentication cookie of a Zscaler customer," Sutton explained. "We appreciate having this brought to our attention."
However, the anonymous tipster claims otherwise.
"The vuln below has been used and proofed to work at stealing end-user post-login cookies," the anonymous individual wrote in an email exchange with SecurityWeek. "This cookie allows us to access the zScaler servers as another user, and as they do not require re-authentication at regular intervals will work likely for a long time for any user."
"The page is pre-auth, but can be used post-auth," the email continued. "Exactly like the ESPN XSS they published which was on the pre-auth login page."
While the individual outing Zscaler said he had planned to notify the company under responsible disclosure, Zscaler's disclosure of ESPN's mobile app vulnerability triggered the person to out Zscaler.
"ZScaler was to be notified of these issues following Responsible Disclosure rules, but them releasing a press release regarding similar vulnerabilities in another side could be ignored and shows their disinterest in following standard security industry practices," the email said.
Zscaler claims they notified ESPN on Wednesday, but did disclose the vulnerability in their blog post before ESPN was able to fix it, though they say it was fixed on Friday.
The pictures below show the XSS vulnerability in action.
It’s clear from the content that the anonymous email was intentionally delivered on the same day that Zscaler started promoting their mobile scanning application ZAP.
In an attempt to embarrass the company, the email quotes an interview given by Sutton, to CRN, where he addresses XSS flaws by calling them Security 101.
“These are just really simple coding errors. A lot of this stuff is Security 101,” Sutton told CRN. “Everyone is worried about malware and malicious applications, but the real threat is the app that is poorly coded and we are blindly trusting it while it's placing our privacy at risk.”
The question then, is why Zscaler’s own security tools and development checks missed this rather common flaw, in a Web function that is commonly exploited by this exact type of attack. Most, if not all, application security checks include password reset functions as a rule, or at the very least, include them as part of a scan on user input validation.
As a SecurityWeek reader pointed out, this isn't the first time Zscaler has had an XSS vulnerability with their site. In May 2012, a security researcher found a similar vulnerability with Zscaler's web site, which the researcher did notify them of under responsible disclosure.
Even though the code was vulnerable - Zscaler’s cloud service would hopefully prevent the attack from succeeding against its own customers.
The issue will be addressed tonight in a code update, Sutton said.
Updated 5:03PM ET to add additional commentary from anonymous source.
Updated 7:19PM ET to add additional commentary from anonymous source and Zscaler.
Updated 01/19 9:48AM ET to add details of previous XSS vulnerability pointed out by a SecurityWeek reader.