Private API key leakage due to lack of access control
State Resolved (Closed)
Disclosed publicly 2018-08-08T17:50:23.485Z
Reported To
Weakness Improper Access Control - Generic
Bounty
Collapse
Summary by yox

A CloudFlare API was leaking private details incl. API keys, personal/account data, and oauth keys due to a lack of origin protection on the application.

Great response from them, initial response received after only 10 minutes and an effective mitigation was in place within around ~6 hours.


Timeline
submitted a report to Cloudflare .
2018-07-03T15:05:41.669Z

The lack of access control on the https://mobilesdk.cloudflare.com/api/v1/ api allows for a remote attacker to access and steal a logged in user's private data.

This can be done due to the lack of origin protection. An attacker can embed the config URI "https://mobilesdk.cloudflare.com/api/v1/config" as a hidden iframe on their site, and then access/store the victim's JSON output containing the details.

Reproduce:

  1. Create an account at https://mobilesdk.cloudflare.com
  2. Login
  3. Visit https://yoxall.me.uk/b/cf-testAUTH.html (here you'll see 2 embedded iframe's containing your details and API keys.)

Image: https://i.imgur.com/vR7sq8Y.png

Impact

The vulnerability could leak a lot of private details, including but not limited to app private API keys, auth keys, e-mail addresses, names, phone number, location, etc.

Given the client key is "hidden" at start and used to initiate the app signup process, it's possible the attacker may be able to impersonate the user and take control of their app in some way? Although can't verify this, as I don't have the SDK downloaded.

Regards,
Frans

  • 0 attachments:
yox Activities::Comment
2018-07-03T15:07:12.684Z
Should note it isn't only /v1/config, seems to affect the whole API e.g. /v1/user, /v1/apps/simplified, /v1/appdetail/<App id> too.


higcf Activities::Comment
2018-07-03T15:15:44.114Z
Thank you for your submission, please stand by as I alert the appropriate team.


higcf Activities::BugTriaged
2018-07-03T15:16:10.863Z
Thank you for submission. I have escalated your report to our engineers for review.


higcf Activities::Comment
2018-07-03T15:33:04.771Z
We are investigating further as the second embeded window shows "{ "message": "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server." }" This may be because of my account being linked via cloudflare.com , could you provide more information such as apps installed, their completion to the SDK wizard etc.


yox Activities::Comment
2018-07-03T15:39:46.018Z
I just created a new account at https://mobilesdk.cloudflare.com/v2s/, verified it, logged in and worked on my end. Maybe try create a new account that isn't linked to CloudFlare? Will take another look at it and see if I can reproduce For now, feel free to test on my test account with the following credentials "[email protected]":"[email protected]". Just checked to verify on here, still working


yox Activities::Comment
2018-07-03T15:51:07.000Z
Nevermind, I figured out why. Ignore the 2nd iframe, it's because it's targeting a specific app of that user. /v1/appdetail/5694356056965120. You won't see it as that app doesn't belong to your new account. The first iframe is the /config mentioned which leaks the majority of information. I'll add a 3rd one for the /user endpoint too. If you'd like to test the appdetail one you'll need to embed /api/v1/appdetail/<YourOwnAPPID>


higcf Activities::Comment
2018-07-03T15:54:17.982Z
That is what I had assumed thank you. Just wanted to be sure.


yox Activities::Comment
2018-07-03T16:03:21.497Z
I've gone and added a slot for the /user, so you can view that too. Seems to expose a bunch of personal info - username/e-mail, country, verification status, mobile OS, admin status, keys, & some form of permissions.


higcf Activities::Comment
2018-07-03T19:04:10.253Z
Ok, we will soon be rolling out a patch, we found that the application had enabled CORS, allowing these vulnerabilities. We have updated the code and it will be rolled out soon. Thank you for your submission, would you mind providing your Name, Address and Shirt size so I may send you some swag?


yox Activities::Comment
2018-07-03T19:06:40.573Z
Good to hear, sure - do you have a GPG key or e-mail I could forward you the details on? Thanks for prompt response


higcf Activities::Comment
2018-07-03T19:07:46.588Z


higcf Activities::Comment
2018-07-03T19:20:41.440Z
I wouldn't mind if you checked this out also... https://grnh.se/5ab6f6bc1 if you would happen to entertain applying.


yox Activities::Comment
2018-07-03T19:30:03.735Z
Sent you those details over! Haha, it's funny you say that actually - I'm in the UK and currently a Infosec student. I actually applied for the Firewall Security Engineer role in London, and working with CloudFlare on exploring a potential internship! Not sure if you guys are closely interconnected or not, but if you could mention me to them that'd be great! It was the director of Engineering (Andrew) I spoke to


higcf Activities::Comment
2018-07-05T15:08:51.747Z
I will happily look into that, because yes we are very interconnected here at cloudflare .


yox Activities::Comment
2018-07-05T21:41:09.437Z
Thanks, I would appreciate it :-) Any update on this one? I believe the iframe was forbidden last time I checked, as X-Frame-Options had been enforced?


higcf Activities::Comment
2018-07-09T17:10:01.938Z
Yes, patch's have been released, it seems this attack has been mitigated.


higcf Activities::BugResolved
2018-07-09T17:10:15.554Z


yox Activities::AgreedOnGoingPublic
2018-07-09T17:50:08.349Z
Happy to disclose this one? :)


yox Activities::Comment
2018-07-09T23:01:59.446Z
Also would I be able to get the 12 month pro subscription? It would be useful for further testing Thanks


higcf Activities::Comment
2018-07-10T15:24:44.143Z
Sure, which domain would you like it added to?


yox Activities::Comment
2018-07-10T17:27:32.208Z
I don't currently have any active domains under CloudFlare other than prototypes, I was under the impression the upgrade would be applied to an account. Would that be possible or is it a per-domain subscription?


higcf Activities::Comment
2018-07-10T18:15:43.716Z
Yeah, i completly understand the confusion, before I worked here I thought the same thing. Each domain is its own zone and can therefore have diffrent tiers of service. Unfortiantly we have to have the one domain in our system in order to enable it.


yox Activities::Comment
2018-07-10T20:45:18.464Z
Ah, so if I forward you one of my prototype domains then will the benefits only apply to that domain? Or will they be available account-wide once enabled?


yox Activities::Comment
2018-07-23T10:04:12.556Z
Hi, could you add it to the domain (yoxall.me.uk) please? Also just making sure that you received my swag details via e-mail (address, size, etc)?


higcf Activities::Comment
2018-07-23T19:37:36.010Z
Yes and you were added to our outgoing list, thanks! Ill add the request for that domain also.


yox Activities::Comment
2018-07-24T21:39:58.923Z
Thanks!


Activities::ReportBecamePublic
2018-08-08T17:50:23.517Z