Full Report
Riot Games is a video game creator with many different websites. Because of this, there are many different endpoints that need access to metadata associated with the user. In order to do this, information needs to be shared cross-origin. Back in 2016 (and before) CORS and window.postMessage were spotty at best. What's the solution to this? easyXDM was a JavaScript library that allows for cross-origin calls while using anything that was available - postMessage, Flash LocalConnection or anything else. easyXDM had a producer and consumer model - a producer would export some JavaScript functions that another site could request. In the context of Riot Games, this was pm.html on account.leagueoflegends.com. The functions exported were as follows were get-cookies, set-cookies and send for cross origin request/responses. easyXDM webpages obtain context from a series of query parameters. It should be noted that these are ALL attacker controlled though: xdm_e: The URL to load the page if it's the consumer or the URL of the parent page if it's a producer. xdm_c: The channel to send the messages on. xdm_s: The secret to use to validate between the two parties. xdm_p: The ID of the protocol. This is incredibly scary functionality - so, how is this protected? Both the referrer header on the request and the protocols message origin would have to match an allowlist. The exploitation requires bypassing both of these protections. To bypass the referrer check, they thought about using a link on the league of legends forums. However, they wanted this to be more portable. So, they hunted for open redirect issues on allowlisted sites that were being done via JavaScript (since 301/302s from the server don't set the referrer header). When the xdm_e parameter doesn't match the referer, it will redirect. We can bypass this for an open redirect itself! They found an additional open redirect on another page as well. The origin check is validating that the message is coming from an allowlisted origin. However, when auditing the code of the library, the author noticed that HashTransport works by passing in from data a child iFrame to a parent window via the window.location.hash. But, there's a problem here: how does it know which child or subdomain sent it? It simply uses the xdm_e - which is exactly the bug we need! There's a catch though: if we set the domain to an attacker domain, our page will load but NOT from an allowlisted origin. If we use an allowlisted origin OUR page won't load. The solution? Callback hell with iFrames. At this point, we can make requests but cannot receieve responses - this leaves us with setting cookies and makes arbitrary requests using the cookies. They use this to perform XSS on the site. Overall, interesting bug in a piece of technology that became obsolete. The library maintainers didn't fix the vulnerability becaues this was considered legacy at the time of reporting.
Analysis Summary
# Vulnerability: Cross-Origin Resource Sharing Bypass via easyXDM in Riot Games Architecture
## CVE Details
- **CVE ID**: Not Assigned (Legacy architectural vulnerability)
- **CVSS Score**: Estimated 8.3 (High) - `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L`
- **CWE**: CWE-346 (Origin Validation Error), CWE-601 (Open Redirect)
## Affected Systems
- **Products**: Riot Games account management infrastructure (specifically `account.leagueoflegends.com`) and any historical site utilizing the `easyXDM` library.
- **Versions**: easyXDM (Producer/Consumer model sites active circa 2016).
- **Configurations**: Sites exposing sensitive functionality (cookies/cross-origin requests) via `easyXDM` endpoints like `pm.html` or `provider.html`.
## Vulnerability Description
The flaw resides in the design of the `easyXDM` library and its implementation at Riot Games. The library was designed to facilitate cross-origin communication between a "Producer" and a "Consumer" via query parameters (`xdm_e`, `xdm_c`, `xdm_s`, `xdm_p`).
1. **Referrer Bypass**: The library validates the `Referer` header against an allowlist. This was bypassed using a JavaScript-based open redirect on an allowlisted domain. Since JavaScript redirects (unlike server-side 301/302) maintain the parent's referrer in certain contexts or can be manipulated via "callback hell" iFrame nesting, the origin check failed.
2. **Origin Validation Logic Flaw**: The `HashTransport` mechanism in `easyXDM` uses `window.location.hash` to pass data. It identifies the origin of the message using the attacker-controlled `xdm_e` parameter.
3. **Logic Flaw**: By nesting iFrames (Attacker Site -> Allowlisted Open Redirect -> easyXDM Producer), an attacker can trick the library into performing actions (setting cookies, making requests) on the user's behalf because the library trusts the `xdm_e` parameter for origin identity during `HashTransport`.
## Exploitation
- **Status**: PoC available/exploited in a coordinated disclosure environment.
- **Complexity**: High (Requires chaining open redirects and complex iFrame nesting).
- **Attack Vector**: Network (Web-based).
## Impact
- **Confidentiality**: High (Ability to make arbitrary requests with user cookies and potentially read responses).
- **Integrity**: High (Ability to set/overwrite cookies and perform XSS via arbitrary requests).
- **Availability**: Low (Minimal direct impact on service uptime).
## Remediation
### Patches
- **No Official Patch**: The maintainers of `easyXDM` declined to patch the library as it was considered legacy/obsolete at the time of reporting.
- **Vendor Action**: Riot Games decommissioned the vulnerable endpoints and migrated to modern `window.postMessage` implementations with robust origin validation.
### Workarounds
- **Disable easyXDM**: Replace the library with modern Web APIs (CORS and `postMessage`) that have standardized security models.
- **Strict Headers**: Implement `Content-Security-Policy` (CSP) to restrict iFrame ancestors and prevent clickjacking/nesting.
## Detection
- **Indicators of Compromise**:
- Unusual traffic involving `pm.html` with unexpected `xdm_e` values pointing to external or redirector URLs.
- Large volumes of requests coming from open redirect parameters on legacy forum pages.
- **Detection Methods**: Audit web server logs for the `xdm_e` parameter containing non-standard domains or encoded redirect strings.
## References
- **Original Research**: hxxps[://]habr[.]com/ru/articles/311306/ (Historical context)
- **Library Source**: hxxps[://]github[.]com/oyvindkinsey/easyXDM
- **Vulnerability Concept**: hxxps[://]www[.]skeletonscribble[.]net/2013/05/easyxdm-cross-site-scripting.html