This report was fully disclosed on 19 August 2020

Summary

Due to the lack of rate limiting or captcha on a specific end-point it is possible for an unauthenticated attacker to send a large number of SMS text messages to a phone number of their choosing.

This allows a remote unauthenticated attacker to abuse the service and perform “SMS Flooding”, resulting in the target receiving hundreds or thousands of SMS text messages per minute.

About Vistaprint: “Vistaprint, a Cimpress company, helps small business owners create expertly designed, up-to-date custom marketing – the assortment of products they need to look and feel professional, prepared and plugged in”

Proof of Concept

First we must craft a request to the vulnerable end-point. The request body is as follows.

GET /api/v1/sendLink/6475551337 HTTP/1.1
Host: mycard.vistaprint.com
User-Agent: Hacker 7.23
Connection: close

In this case we used a free phone number provided by our friends at TextNow as our target for testing.

Once we have crafted this request, we can use Burp intruder to repeat the request a desired number of times. To do this we can append ?req=§0§ to the GET request and create a payload list of a numerical sequence of 100.

We can note that the first response was received at 08:29:12 GMT and the last response was received at 08:29:22 GMT. Since 100 requests were sent we can determine that messages can be sent at a minimum rate of 10 messages per second, or 600 per minute from a single attack.

image tooltip here

image tooltip here

As shown in the following screenshot 100+ sms messages were received by the target.

image tooltip here

Active Exploitation

At 2:57 AM on 25 Feburary, Twitter user @scottbix posted a video of his phone being flooded with messages from various platforms, including but not limited to Zoom. Based on this example we can determine with a high degree of certainty that this vulnerability is actively being exploited for malicious purposes.

  • Implement captcha and other rate limiting controls to prevent abuse.
  • Discontinue unused end-points
  • Implement a security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
  • Perform a full penetration test of the web platform and API to identify further issues.

Response From [email protected]

On Monday, March 2, 2020 13:49, BugBounty [email protected] wrote:

Hello,

Our team has been contacted by Vistaprint regarding your recent Tweet (https://twitter.com/GlitchWitch/status/1234145310445887488) about a security issue you identified on the Vistaprint website. We didn’t receive your email in our Bug Bounty mailbox so we wanted to contact you directly to thank you for notifying us about issue you identified and to also offer to onboard you to our private Bugcrowd program if you would like to formally submit your finding. We’re unable to offer monetary rewards but can reward valid submissions with Kudos points through Bugcrowd. Please provide your Bugcrowd username if you are interested in joining the program and please let us know if you have any questions.

Thank you,

Cimpress Bug Bounty Team

Response from [email protected]

On Monday, March 2, 2020 16:11, BugBounty [email protected] wrote:

Hello,

We were able to locate your original email and have passed the details of your finding to the appropriate team for remediation. We plan to work with our customer service teams to educate them on how to properly interact with and direct independent security researchers to our team.

Are you interested in receiving kudos points for your finding in our private Bugcrowd program?

Thank you,

Cimpress Bug Bounty Team

Response from [email protected]

On Monday, March 2, 2020 16:33, BugBounty [email protected] wrote:

Thank you for providing your username.  I’ve requested that the Bugcrowd support team add you to our private Bugcrowd program.  You should receive an invitation to join the program in the next day or two.  Once you receive and accept the invitation, can you please submit your finding on the Bugcrowd platform?  We already have the vulnerability details so just filling out the necessary fields for the Bugcrowd submission will suffice.  This will allow us to reward you with Kudos points.  I will ensure that your submission is triaged as soon as possible after it is submitted and that your points are awarded.  Thank you again for all the help and please let us know if you have any questions in the meantime.

Timeline

  • 25 February 2020: Affected Party Notified
  • 2 March 2020: Affected Party Responded (+6 days)
  • 19 August 2020: Report Published (+176 days)