The login page of a cyber security vendor used by its customers was vulnerable to a reflected cross-site scripting (RXSS) attack.
Before Fortinet patched the vulnerability, it could allow attackers to log their passwords in cleartext.
Fortinet is one of the biggest suppliers of security products and services.
Fortinet’s SSO (Single-Sign-On) login system contained a vulnerability that allowed attackers to insert malicious parameters inside the login page’s URL, said French security researcher Yann Cam, working for information security firm Synetis.
Since Fortinet redirects users who access other services to the login.fortinet.com domain using extremely long and complicated URLs, the attacker would find it easy to hide their malicious code inside it.
In his tests, Cam created a malicious JS file, which he hosted on his server while loading alongside the rest of the legitimate Fortinet login page.
This malicious file was altering code in the original Fortinet login page and thus allowed the attacker to hijack the login form, sending authentication data to one of his servers, where it was logged.
“In this case, the RXSS is located directly on the centralized authentication page. Thus, no need to create a fake login page to deceive potential victims,” Cam said in a blog post.
An attacker using this exploit could access a Fortinet customer’s account and see what kind of security equipment they bought, gaining crucial information needed to plan future attacks.
If the customer had reused the Fortinet username/password on other sites or even security devices, then the attacker would have had a simple key to many of the victim’s assets.
Cam discovered the issue on November 6 and Fortinet patched it on December 2. The reason details about this bug are only now coming to light is because Cam also identified a second XSS in Fortinet’s ticketing software and waited for Fortinet to patch that one as well. Fortinet does not run a bug bounty program, so there was no additional monetary reward for Cam’s work.