Free JetCash: How We Got JetCash from the New jet.com

The following is a description of how Tyler Schmidtke and I obtained free JetCash shortly after the launch of the site. This research was conducted on July 25, 2015. We worked with Jet to ensure that the finding described in this post was remedied prior to this blog post being published.

Jet.com is a recently launched eCommerce site hoping to reinvent online shopping. There has been quite a lot of hype around it, so Tyler and I decided to check it out. In browsing the site and watching some of the videos that had been posted, we learned of JetCash, free credits for jet.com that could be earned by shopping at third party retailers. Jet refers to this as Shop Anywhere. In investigating these credits further, we learned that verification for external purchases relied on submission of order confirmation, from the third party, via email. Jet launched with a large list of external vendors, including Nike.com. What was enticing about Nike.com was that 30 percent of the total purchase price at Nike.com, could be directly converted to JetCash.

Upon seeing the conversion rate and looking at the validation method for external purchases, we decided to create an account to test this third party order validation method. Jet.com utilizes a subscription model; however, considering its recent launch, I was able to find a promo code to get 6 months of access for free. Once the account had been created, I proceeded to make a purchase on Nike.com. I didn’t want to invest too much in testing Jet’s external purchase validation, so Tyler and I decided that we would purchase the cheapest thing available (Nike sweat bands).

Nike Purchase, Nike Order, Nike Purchase Order, Free JetCash

The Nike Purchase Order.

Once the order had been placed, we waited to receive the confirmation email. We suspected that this email would be HTML, meaning that it could be easily modified prior to sending to Jet for verification. Shortly after placing the order for 1 Nike sweat band, I received an order confirmation in my inbox. The confirmation email was fairly simple, containing an order number, shipping information, and order details. Considering the validation process relied on this confirmation email, we thought that we would modify the email prior to forwarding it on to the confirmation email at Jet (anywhere@jet.com).

Nike Email, Confirmation Email, Nike Confirmation Email, Free JetCash

Purchase Confirmation email from Nike.

We then just simply edited the html and plain text portions of the email to reflect a quantity of 20 sweat bands instead of 1, and updated the prices accordingly. The email that we forwarded then looked like this:

Spoofed Email, Fake Email, Altered Email, HTML Edits, Free JetCash

The Spoofed Email We sent to Jet Anywhere.

Our purpose for modifying the email was to identify a potential vulnerability in this functionality of Jet.com, so we only modified the email to potentially obtain a slight amount of JetCash. We increased the quantity of the sweat bangs in the confirmation email to 20 and appropriately updated the tax and total. This brought the total of our fabricated order to $114.75, enough to earn us approximately $30 in JetCash.

We sent the modified confirmation email and hoped for the best. After waiting a short while, we received the following email confirming that we had earned $30 in JetCash.

JetCash, JetCash Email, JetCash Award, Free JetCash

Email showing JetCash Award.

It should be noted that we had no intention of using any of this free JetCash. This test was simply conducted for research, to potentially identify a vulnerability in this feature of Jet.com. We notified Jet of our findings and ultimately received the following response.


– Jet does not consider this a security issue as there was no bug present. The steps you describe highlight a temporary process that would allow people to commit fraud and potentially not be caught.
– In order to not delay the launch of Jet Anywhere, the program was launched with a manual verification step for the first two weeks until a more automated link tracking mechanism was in place. Some merchants had automatic link tracking in place while others were manual.
– Jet was founded on core values of trust, transparency and fairness. Jet trusted the “good” in our members to only forward us legitimate receipts and reward them with instant JetCash, and not intentionally committing fraud by altering an actual order.
– The process is now fully-implemented with click-tracking, merchant verification, and pending jet cash in case someone later cancels their purchase.

As stated in Jet’s response, this issue has been resolved. While this was not necessarily a vulnerability related to the technical aspects of Jet.com, Tyler and I still feel that this finding was a signficant flaw that existed on Jet.com during its initial launch period. During the reporting process, Jet was incredibly responsive, keeping in touch with Tyler and I until the issue had been resolved.

During this process, we also learned that Jet’s official bug bounty program is run through Bug Crowd. If you’re interested in helping Jet out by hunting for bugs, you can learn more about the program here: https://bugcrowd.com/jet

NCL Summer 2015 Skyline Thoughts and Challenges Walk through

NCL recently ran a pilot to introduce there new skyline platform. Although this will likely be the NCL Summer 2015 competition i’ll be able to compete in, I wanted to give my honest opinion on the platform and walk through some of the challenges that I thought were well done.

Review:

First of all I find that this new Skyline platform had far better performance then old NCL scoring engine. This is likely due to the lower number of players in this summer round, but I hope the stability remains. Additionally, I thought the step by step approach with hints available will make challenges far more approachable to player who are new to the infosec competition space. My only real criticism would be the web app challenge, having it embedded into the skyline interface made it much harder to work with. In the further maybe still host web app challenges in AWS.

Challenges:

QR Code Images

There were really two very similar QR image challenges. These were among my favorite present, in this NCL round. Since some of the guided questions were very similar I will just cover them once. Now the latter image is given to you in 4 pieces and you are meant to use your forensic skills to reassemble the image based on some hex headers, footers, and commonalities. However, I just wrote a quick script to cat each of the files together in each of the possible permutations; then just opened the one that showed a valid thumbnail of the image.

What is the md5 hash of the image? In both chases the following command on that trust kali box will get you the

iptables for Cyber Defense

Linux operating systems are very popular within the Cyber Security competition space for several reason, the foremost likely being that its free. Nonetheless, this abundance often calls for competitors to have at least a basic understanding of how to defend Linux systems. Arguable the first step in defending a Linux system is strong passwords, but a strong firewall is defiantly the second.

First of all, make a bash script for your firewall configuration, run it often (I like rc.local, cron, and init), and hide it well (I like a places I would frequent as a defender, but not as an attacker, like /etc/apache2/sites-available). This iptables script should at the very least include an IN and OUT filter for ssh and the port(s) core service(s). A basic script might look like the following.

#!/bin/bash
iptables -F #clear the table
#iptables tricks
iptables -A INPUT -i lo -j ACCEPT #accept connections on our loop back
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #drop bull packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #drop syn floods (couple with syn.cookies)
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #drop xmas packets cause this isn't the 90s
iptables -A INPUT -p tcp --dport 80,443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT #limit incoming connections
#IN Chain
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT #open ssh
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #open http
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT #open https
#OUT Chain
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #allow ssh out
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT #allow http out
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT #allow https out
iptables -P OUTPUT DROP #drop other out
iptables -P INPUT DROP #drop other in

Allow this is likely not all the rules one might require throughout a competition, I’ve found its a good place to start. I hope to add more examples and useful rules as I learn of them in my career. If anyone has any questions feel free to hit me up.