The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs as a great way to monetize their traffic by strategically placing a few links on their sites.
Affiliate programs generally operate by associating a web visitor with a particular affiliate when the visitor has followed a custom link provided by the affiliate. This custom link will contain some sort of identifier that instructs the site how traffic was directed towards them. After visiting the link an association is made (typically via a cookie) with that users session on the destination site. This association might last for a few minutes to a month depending on the business requirement of the program. Upon purchase/checkout the affiliate is credited for the transaction. The basic use case is as follows:
- Affiliate signs-up with AffiliateProgramA and is supplied with unique link to place on their website 'http://coolsite'. (e.g. http://shop/item?id=123&affiliateid=123)
- A user visits 'http://coolsite' and clicks the link http://shop/item?id=123&affiliateid=123
- If the user buys something on the ‘shop’ website the affiliate earns either a percentage or flat rate.
A common mistake
If you're unfamiliar with what Cross-Site Request Forgery (CSRF) is I suggest reading this FAQ. As you know by now CSRF vulnerabilities involve an attacker tricking a user's browser into performing a request to an application that performs some sort of function. Most of the time CSRF vulnerable applications are static urls easy guessable by the attacker which allows them to perform their attack. When you're talking about vulnerable affiliate programs the vulnerability lies in how that program associates an affiliate with that users session. If that association is made directly at the custom url landing page there's a chance that the program is vulnerable.
The attack use case involves the way affiliate programs operate with the affiliateid in a URL. If an affiliate were to embed the following HTML code into 'ANY' web page (social network profiles, blogs and comments, message boards, guest books, etc.) they could forcefully associate their affiliateid with users of that website.
<iframe src="http://shop/item?id=123&affiliateid=123"> </iframe>
This will simulate a click and load the page normally. The advantage of using an iframe over 'img src' include is that if the site requires a script/flash execution to happen for the association to take place, the users browser will execute it.
1. The user will visit this website and make a purchase before the expiration period ends.
2. The website associates the affiliate to the user session whether they are logged in or not.
3. The association takes place immediately on the landing page.
Assuming #1 and #3 are true an attacker could simply place iframes on thousands of websites with traffic and play the odds that for X user associations Y by coincidence will shop on the site. They may do this for several vulnerable affiliate programs at once or individually. They may even create a website discussing the particular website involved in the affiliate program upping their odds of a successful association since users on that site show an interest.
- Upon landing at the destination, require the user click something else containing a strong CSRF token. Require that the new destination check for a valid token before allowing an association to take place. Ensure this token is tied to the user session.
-Ensure the affiliateid session cookies have a reasonable timeout period.
I've been discussing this in private circles for the last 20 months or so and due to various reasons was unable to discuss it until recently. To be clear I'm hardly the 1st person to discover this however wanted to discuss this as an interesting attack use case. Jeremiah Grossman is giving a talk on business logic vulns that will be discussing this particular vector that if you've in vegas during blackhat for i'd advise attending. I've contacted a few people about the issue (please don't ask me who) in advance of posting this. The specific vulnerable affiliate programs will not be disclosed as I don't see this benefiting anyone but the bad guys.