漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0147403
漏洞标题:京东商城泄露评价匿名用户昵称IP等私隐信息
相关厂商:京东商城
漏洞作者: 104705824
提交时间:2015-10-17 14:42
修复时间:2015-12-03 21:36
公开时间:2015-12-03 21:36
漏洞类型:设计缺陷/逻辑错误
危害等级:中
自评Rank:5
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开
简要描述:
匿名评价的用户可以获取到用户的昵称和IP等私隐信息。
详细说明:
网址:http://wq.jd.com
这个是QQ手机客户端中购物功能的一个京东接口,提供给QQ用户可以直接跳转到京东购物。
测试需要登录QQ才能查看到商品评论
http://wq.jd.com/eval/GetEval?productId=1861100&guid=a36bd4e1-fd8a-4a40-b86c-10dde98ba778&_=1445063083523&callback=jsonpCBK2&g_tk=2036964968&g_ty=ls
productId是商品的ID
guid京东登录用户加密ID
g_tk 登录QQ的g_tk值
返回的是评价内容和用户的信息 这里面包含了未加密的京东用户ID和IP等等信息
上面的地址返回的信息:
jsonpCBK2({"iRet":0,"errMsg":"success","data":{"jingdong_club_commentdetail_get_responce":{"comment":{"anonymousFlag":1,"content":"看到有货果断出手!官方售价12分期,京东相当给力!昨晚23点前下单今早就收到了!还在试用中??","creationTime":"2015-10-17 12:40:41","firstCategory":9987,"guid":"a36bd4e1-fd8a-4a40-b86c-10dde98ba778","id":1045010851,"integral":-40,"isMobile":true,"isReplyGrade":false,"isTop":false,"nickname":"m***o","orderId":0,"pin":"m***o","productColor":"银色","productSize":"公开版","recommend":false,"referenceId":"1861100","referenceImage":"jfs/t2491/330/130347277/93583/10ac6d51/55f0e840N6609b12b.jpg","referenceName":"Apple iPhone 6s plus (A1699) 128G 银色 移动联通电信4G手机","referenceTime":"2015-10-16 21:58:47","referenceType":"Product","referenceTypeId":0,"replyCount":0,"score":5,"secondCategory":653,"status":1,"thirdCategory":655,"uid":13340222,"usefulVoteCount":0,"uselessVoteCount":0,"userClient":2,"userClientShow":"<a href='http://app.jd.com/iphone.html' target='_blank'>来自京东iPhone客户端</a>","userImage":"storage.jd.com/i.imageUpload/66756e6b796d656731343135373134353532343939_sma.jpg","userImageUrl":"storage.jd.com/i.imageUpload/66756e6b796d656731343135373134353532343939_sma.jpg","userIp":"114.250.89.46","userLevelColor":"#ff0000","userLevelId":"105","userLevelName":"钻石会员","userProvince":"北京","userRegisterTime":"2010-12-19 00:26:18","viewCount":0},"productSolrInfo":{"brandId":14026,"brandName":"Apple","categoryList":["9987 手机","653 手机通讯","655 手机"],"fullName":"Apple iPhone 6s plus (A1699) 128G 银色 移动联通电信4G手机","id":1861100,"imgUrl":"jfs/t2491/330/130347277/93583/10ac6d51/55f0e840N6609b12b.jpg","shortName":"Apple iPhone 6s Plus"},"resultCode":null},"user":null}
})
其中泄露的信息:
"userIp":"114.250.89.46"
这个是用户评价时用的IP
"uid":13340222,
用户ID 可以通过这个ID直接获取到用户名
http://me.jd.com/13340222.html
获取到这个匿名评论的用户名为:myooooo
漏洞证明:
修复方案:
用户敏感信息打下码处理。
版权声明:转载请注明来源 104705824@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:3
确认时间:2015-10-19 21:34
厂商回复:
非常感谢您对京东安全的关注!
最新状态:
暂无