As a cyber threat intelligence company, SOCRadar’s mission is to use every possible piece of information to identify and prevent cyber threats targeting our customers. SOCRadar performs several scanning/security checks by detecting the attack surface of organizations to help them manage security vulnerabilities. SOCRadar’s active-passive scan modules continuously work and proactively identify their customers and security vulnerabilities on their third-party providers. SOCRadar researchers detected vulnerabilities in LearnWorlds as a result of their investigations which may affect many users.
Third-Parties Leave You Vulnerable to Cyber Attacks
When companies purchase digital products, they expect them to be secure. They often do not test the security vulnerabilities in the digital supply chain because they do not have sufficient time or resources to do so. Since the security of a system is only as strong as its weakest link, the first target of hackers is to identify that weak link and exploit it to advance their attack. The fundamental activities that hackers may undertake, such as gaining unauthorized access to an organization’s network and exploiting its resources, rendering systems unusable and causing business losses, and exposing confidential data, can result in various damages. As a result, they may suffer financial and reputational losses by being subjected to serious attacks due to an uncontrolled third-party component that is not inherently present in their systems but has been included in them.
Security vulnerabilities in the supply chain have led to some of the most dramatic cyberattacks in recent years. In the early 2021 SolarWinds attack, hackers added malicious code to software after it was confirmed to be ready for customers. In both of these examples (and many more), threat actors exploited security vulnerabilities in how suppliers connected to systems and then set up backdoors that could be used to steal IP, and financial information or install malware that could spread to customer systems.
Recently, the Okta data breach that a security incident occurred on a support engineer’s computer, and threat actors had access to the laptop for five days.
What is LearnWorlds?
LearnWorlds is a powerful and user-friendly educational solution for individuals and organizations, founded in 2014. It is a fully customizable platform that institutions can apply to their brand to train their employees, partners, and customers or sell online courses to various target audiences.
LearnWorlds is a cloud-based application for corporate training by entrepreneurs and e-learning companies.
Security Vulnerabilities on LearnWorlds
The presence of the identified vulnerabilities was also considered in terms of whether they are included in OWASP top 10 list.
1. Session Fixation (WSTG-SESS-003)
OWASP 2013-A2, OWASP 2017-A2, OWASP 2021-A7, OWASP 2019-API2, OWASP PC-C6, CWE-384 WASC-37
High 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Cookies/sessions are components of web applications that are needed during development for various reasons, such as distinguishing and authorizing users who visit the server, keeping current sessions for a certain period, carrying various information, or managing sessions.
If the cookie value sent when no authentication is performed on the client side is not changed after authentication, and if authorization is based only on this cookie value, this situation can cause some vulnerabilities. For example, if a user logs into an application using a previously assigned cookie value, and authorization is performed using this cookie value on the server side, a malicious actor who knows the previously assigned cookie value can access the user’s account and cause vulnerabilities such as Account Takeover Attack (ATO) as functions such as password change on the relevant application do not require the old password.
Suggestion:
To avoid exposure to the relevant vulnerability, cookie/session components should be used carefully.
Regardless of which sessionID the users come to the application with, the SessionID value should be refreshed with a unique value after authentication. Each time a user logs in or logs out, the session information should be reset and invalidated. Users who want to change their password should be subject to multi-factor authentication. For example, asking for the old password.
2. External Service Interaction (DNS)
Medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
DNS external service interaction occurs when a web application or an email server interacts with a random external service. Arbitrary external interactions do not constitute a security vulnerability on their own and can even be the application’s intended behavior in some cases. However, in most cases, it can indicate a serious security vulnerability with significant consequences.
Exploiting this vulnerability, a malicious user can learn the real IP address of the application server hosted behind security systems such as Cloudflare or can launch attacks using the application server as a proxy.
Suggestion :
- If the ability to trigger optional external service interactions is not the intended behavior, a whitelist consisting of allowed services and hosts should be implemented, and all interactions not appearing on this whitelist should be blocked.
- Checks should be made for any URL entered in the ‘avatar’ parameter.
- Only specific addresses should be allowed to enter URLs.
- If unnecessary, the application should be completely removed.
3. User Account Information Disclosure With Detail
OWASP 2017-A3 , OWASP 2013-A6
Medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Authentication systems that are not securely configured can lead to the disclosure of critical information, such as usernames or user passwords. Incorrect authentication attempts by attackers using default usernames/passwords can lead to the disclosure of credentials due to error messages provided by the authentication mechanism. After attackers obtain a username or password, other necessary information for login can also be obtained through brute force attacks.
Suggestion:
- During the authentication phase, only username input should not be queried with the username in the system, and a response should not be returned to the user.
- In the authentication phase, only the statement that the password is incorrect should not be used after an incorrectly entered user password for an existing user name.
- Authentication systems should be designed to lock the relevant user account for a certain period after a certain attempt.
- Only the necessary information of the users should be returned in the response for the user selection.
4. Reflected Cross Site Scripting/XSS (A1:2007)
Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
XSS, also known as cross-site scripting vulnerability, allows malicious individuals to send code (usually JavaScript and HTML) to other users to be executed on the client side through this website, enabling them to perform malicious actions.
XSS vulnerabilities occur when insufficient input and output control is applied to information obtained from external sources in applications, allowing malicious users to execute JavaScript code as they wish and steal session information of targeted individuals or redirect their web browsers. With the compromised victim’s web browser, the attacker can perform activities such as port scanning on the internal network and audio and video recording of the environment. Reflected XSS vulnerability is the most common type of XSS vulnerability. In this type of vulnerability, the code snippet (payload) sent to the target system is not permanently stored in the database. Therefore, a social engineering attack, such as convincing the user to visit a link, must be performed first to exploit this vulnerability. Reflected XSS vulnerability can be found in parameters sent in both HTTP GET and POST requests. Essentially, this vulnerability occurs when the payload sent to the target system is returned without being encoded in the server response. In this case, the injected code snippet will perform its action on the client side that makes the request. Threat actors can exploit this type of vulnerability to inject code snippets such as HTML, JavaScript, and action scripts into the page on the client side. They can also perform user deception or session hijacking.
Suggestion:
- It is recommended to review the application code and filter out any harmful characters from all types of information sent through parameters and other fields in the HTTP header before they are used.
- All variables coming from input and output points in the applications should be subjected to control, and all meta-characters in these inputs should be filtered.
- The following references can be reviewed for detailed XSS prevention methods:
- The JavaScript code entered into the message field should not be executed.
- For this purpose, HTML encoding should be applied to the entered message content.
5. Weak password Policies (WSTG-ATHN-007)
Medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Passwords are the most important part of the session system, and setting some rules during their creation can reduce the security risk on the system. Using strong passwords provides an advantage to system security in cases of brute force attacks by attackers and when encrypted passwords are retrieved from compromised databases.
Suggestion:
- Passwords must consist of at least eight characters and include at least three of the four characteristics listed below.
- Passwords must contain at least one uppercase letter. (A-Z)
- Passwords must contain at least one lowercase letter. (a-z)
- Passwords must contain at least one number. (0-9)
- Passwords must contain at least one special character. (!” £$%^*&*…)
- Passwords should not contain consecutive numbers like 1234 and should not include meaningful words.
- Instead of forcing users to choose very complex passwords, it would be more efficient to warn them about the most commonly used 1000 or 10000 password selections during the password selection process.
- Passwords should not be kept in plain text in the database and should be hash.
Who is Using LearnWorlds Worldwide?
LearnWorlds is used for educational purposes by people from various sectors worldwide, including teachers, trainers, educational institutions, business owners, writers, coaches, and consultants. Additionally, anyone wanting to provide education on any topic can use the LearnWorlds platform to create and share their online courses. LearnWorlds is used in more than 130 countries with 4506 websites in total, available in 10 different languages.
About Publication Process with LearnWorlds
- On January 24, 2023, the identified vulnerabilities were reported to LearnWorlds officials as SOCRadar. We informed that the blog post would be shared according to the feedback.
- On January 25, 2023, Learnworlds sent an email that the issue was forwarded to the development team for further investigation and will respond as soon as feedback is received.
- On January 26, 2023, LearnWorlds requested examples of the identified security vulnerabilities.
- On January 27, 2023, the vulnerabilities were reported in detail, along with version information. Subsequently, an email was received from Learnworlds indicating a response would be provided.
- The current status was requested from Learnworlds, and it was stated that the work carried out on February 16, 2023, will be published as a blog post.
- On February 17, 2023, it was informed that the LearnWorlds team’s developers were still working on the case and that they would provide a response when they received feedback from their team.
- On February 28, 2023, LearnWorlds sent an announcement email stating that their security team had reviewed the findings and confirmed their accuracy. Following this, SOCRadar informed LearnWorlds that a deadline for fixing the identified vulnerabilities should be provided; otherwise, we would need to inform our customers and the community as soon as possible about the confirmed security issues and the response. We received a response that they will get back to us when there is an update on the issue.
- We sent an email to LearnWorlds on March 13, 2023, indicating that we will publish the blog.
