当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147403

漏洞标题:京东商城泄露评价匿名用户昵称IP等私隐信息

相关厂商:京东商城

漏洞作者: 104705824

提交时间:2015-10-17 14:42

修复时间:2015-12-03 21:36

公开时间:2015-12-03 21:36

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

匿名评价的用户可以获取到用户的昵称和IP等私隐信息。

详细说明:

网址:http://wq.jd.com
这个是QQ手机客户端中购物功能的一个京东接口,提供给QQ用户可以直接跳转到京东购物。
测试需要登录QQ才能查看到商品评论
http://wq.jd.com/eval/GetEval?productId=1861100&guid=a36bd4e1-fd8a-4a40-b86c-10dde98ba778&_=1445063083523&callback=jsonpCBK2&g_tk=2036964968&g_ty=ls
productId是商品的ID
guid京东登录用户加密ID
g_tk 登录QQ的g_tk值
返回的是评价内容和用户的信息 这里面包含了未加密的京东用户ID和IP等等信息
上面的地址返回的信息:
jsonpCBK2({"iRet":0,"errMsg":"success","data":{"jingdong_club_commentdetail_get_responce":{"comment":{"anonymousFlag":1,"content":"看到有货果断出手!官方售价12分期,京东相当给力!昨晚23点前下单今早就收到了!还在试用中??","creationTime":"2015-10-17 12:40:41","firstCategory":9987,"guid":"a36bd4e1-fd8a-4a40-b86c-10dde98ba778","id":1045010851,"integral":-40,"isMobile":true,"isReplyGrade":false,"isTop":false,"nickname":"m***o","orderId":0,"pin":"m***o","productColor":"银色","productSize":"公开版","recommend":false,"referenceId":"1861100","referenceImage":"jfs/t2491/330/130347277/93583/10ac6d51/55f0e840N6609b12b.jpg","referenceName":"Apple iPhone 6s plus (A1699) 128G 银色 移动联通电信4G手机","referenceTime":"2015-10-16 21:58:47","referenceType":"Product","referenceTypeId":0,"replyCount":0,"score":5,"secondCategory":653,"status":1,"thirdCategory":655,"uid":13340222,"usefulVoteCount":0,"uselessVoteCount":0,"userClient":2,"userClientShow":"<a href='http://app.jd.com/iphone.html' target='_blank'>来自京东iPhone客户端</a>","userImage":"storage.jd.com/i.imageUpload/66756e6b796d656731343135373134353532343939_sma.jpg","userImageUrl":"storage.jd.com/i.imageUpload/66756e6b796d656731343135373134353532343939_sma.jpg","userIp":"114.250.89.46","userLevelColor":"#ff0000","userLevelId":"105","userLevelName":"钻石会员","userProvince":"北京","userRegisterTime":"2010-12-19 00:26:18","viewCount":0},"productSolrInfo":{"brandId":14026,"brandName":"Apple","categoryList":["9987 手机","653 手机通讯","655 手机"],"fullName":"Apple iPhone 6s plus (A1699) 128G 银色 移动联通电信4G手机","id":1861100,"imgUrl":"jfs/t2491/330/130347277/93583/10ac6d51/55f0e840N6609b12b.jpg","shortName":"Apple iPhone 6s Plus"},"resultCode":null},"user":null}
})
其中泄露的信息:
"userIp":"114.250.89.46"
这个是用户评价时用的IP
"uid":13340222,
用户ID 可以通过这个ID直接获取到用户名
http://me.jd.com/13340222.html
获取到这个匿名评论的用户名为:myooooo

漏洞证明:

QQ截图20151017142919.png


QQ截图20151017142744.png

修复方案:

用户敏感信息打下码处理。

版权声明:转载请注明来源 104705824@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-10-19 21:34

厂商回复:

非常感谢您对京东安全的关注!

最新状态:

暂无