Private API key leakage due to lack of access control
State Resolved (Closed)
Disclosed publicly 2018-08-08T17:50:23.485Z
Reported To
Weakness Improper Access Control - Generic
Summary by yox

A CloudFlare API was leaking private details incl. API keys, personal/account data, and oauth keys due to a lack of origin protection on the application.

Great response from them, initial response received after only 10 minutes and an effective mitigation was in place within around ~6 hours.

submitted a report to Cloudflare .

The lack of access control on the api allows for a remote attacker to access and steal a logged in user's private data.

This can be done due to the lack of origin protection. An attacker can embed the config URI "" as a hidden iframe on their site, and then access/store the victim's JSON output containing the details.


  1. Create an account at
  2. Login
  3. Visit (here you'll see 2 embedded iframe's containing your details and API keys.)



The vulnerability could leak a lot of private details, including but not limited to app private API keys, auth keys, e-mail addresses, names, phone number, location, etc.

Given the client key is "hidden" at start and used to initiate the app signup process, it's possible the attacker may be able to impersonate the user and take control of their app in some way? Although can't verify this, as I don't have the SDK downloaded.


  • 0 attachments:
yox Activities::Comment
Should note it isn't only /v1/config, seems to affect the whole API e.g. /v1/user, /v1/apps/simplified, /v1/appdetail/<App id> too.

higcf Activities::Comment
Thank you for your submission, please stand by as I alert the appropriate team.

higcf Activities::BugTriaged
Thank you for submission. I have escalated your report to our engineers for review.

higcf Activities::Comment
We are investigating further as the second embeded window shows "{ "message": "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server." }" This may be because of my account being linked via , could you provide more information such as apps installed, their completion to the SDK wizard etc.

yox Activities::Comment
I just created a new account at, verified it, logged in and worked on my end. Maybe try create a new account that isn't linked to CloudFlare? Will take another look at it and see if I can reproduce For now, feel free to test on my test account with the following credentials "[email protected]":"[email protected]". Just checked to verify on here, still working

yox Activities::Comment
Nevermind, I figured out why. Ignore the 2nd iframe, it's because it's targeting a specific app of that user. /v1/appdetail/5694356056965120. You won't see it as that app doesn't belong to your new account. The first iframe is the /config mentioned which leaks the majority of information. I'll add a 3rd one for the /user endpoint too. If you'd like to test the appdetail one you'll need to embed /api/v1/appdetail/<YourOwnAPPID>

higcf Activities::Comment
That is what I had assumed thank you. Just wanted to be sure.

yox Activities::Comment
I've gone and added a slot for the /user, so you can view that too. Seems to expose a bunch of personal info - username/e-mail, country, verification status, mobile OS, admin status, keys, & some form of permissions.

higcf Activities::Comment
Ok, we will soon be rolling out a patch, we found that the application had enabled CORS, allowing these vulnerabilities. We have updated the code and it will be rolled out soon. Thank you for your submission, would you mind providing your Name, Address and Shirt size so I may send you some swag?

yox Activities::Comment
Good to hear, sure - do you have a GPG key or e-mail I could forward you the details on? Thanks for prompt response

higcf Activities::Comment

higcf Activities::Comment
I wouldn't mind if you checked this out also... if you would happen to entertain applying.

yox Activities::Comment
Sent you those details over! Haha, it's funny you say that actually - I'm in the UK and currently a Infosec student. I actually applied for the Firewall Security Engineer role in London, and working with CloudFlare on exploring a potential internship! Not sure if you guys are closely interconnected or not, but if you could mention me to them that'd be great! It was the director of Engineering (Andrew) I spoke to

higcf Activities::Comment
I will happily look into that, because yes we are very interconnected here at cloudflare .

yox Activities::Comment
Thanks, I would appreciate it :-) Any update on this one? I believe the iframe was forbidden last time I checked, as X-Frame-Options had been enforced?

higcf Activities::Comment
Yes, patch's have been released, it seems this attack has been mitigated.

higcf Activities::BugResolved

yox Activities::AgreedOnGoingPublic
Happy to disclose this one? :)

yox Activities::Comment
Also would I be able to get the 12 month pro subscription? It would be useful for further testing Thanks

higcf Activities::Comment
Sure, which domain would you like it added to?

yox Activities::Comment
I don't currently have any active domains under CloudFlare other than prototypes, I was under the impression the upgrade would be applied to an account. Would that be possible or is it a per-domain subscription?

higcf Activities::Comment
Yeah, i completly understand the confusion, before I worked here I thought the same thing. Each domain is its own zone and can therefore have diffrent tiers of service. Unfortiantly we have to have the one domain in our system in order to enable it.

yox Activities::Comment
Ah, so if I forward you one of my prototype domains then will the benefits only apply to that domain? Or will they be available account-wide once enabled?

yox Activities::Comment
Hi, could you add it to the domain ( please? Also just making sure that you received my swag details via e-mail (address, size, etc)?

higcf Activities::Comment
Yes and you were added to our outgoing list, thanks! Ill add the request for that domain also.

yox Activities::Comment