Multiple API issues due to Fixed Authorization token.

Mustafa Khan
May 24, 2019 · 3 min read
Image for post
Image for post

This bug isn’t fixed yet and it’s on a private program so I can’t disclose the program name and their users data.

The root cause was a fixed Authorization token for every users which led to users’ information disclosure, exploitation of misconfigured CORS, and remotely changing users’ information.

My methodology for testing API endpoints:

Chrome > F12 > network tab > and signup/login to my account.

Most of the endpoints are reflecting over here and I can see the HTTP request and response like which headers are passing and is there any authorization token and origin header is present or not.

So here I begin, I was testing this program using the same above method I created a test account and logged into my account and I was checking for interesting requests and I got “” with a nice rest API endpoint which is “/v1/users/my-uid”. So, I was checking the request headers for Authorization header and Origin header both were present I lost my hope.

Image for post
Image for post

Because when in the request header Authorization header is present even misconfigured CORS won’t be exploitable. For my confirmation I visited the endpoint along with my UID I was shocked it was showing all my information without the authorization token in a GET based request. I immediately tried to exploit the CORS but I failed due to the authorization token so I logged out of my account to check whether the token gets expired or not and it wasn’t expired. Then I created a second account and took the second account’s uid and replaced with my current uid with the same authorization token and it was showing the second account’s information so I compared both authorization token and I was way surprised it was same so all the users get the same fixed authorization token with different UIDS and ran a brute force via burp intruder and got so many valid UIDS.

The below images show the requests and responses.

Image for post
Image for post
User’s info disclosure.
Image for post
Image for post
Updating anyone’s information by changing the UID.

Summary: Don’t give up when you see a dead end instead try it to understand whats happening and is the server validating it correctly.

To my luck it got duplicate but it was too fun to find and exploiting it and I learned new things.

NOTE: It’s not fixed yet but when it gets fixed I’ll update this write up with a video poc for clear steps.

I tried hard to write it as a fun read so that no one get bored I hope it won’t bore anyone. ❤

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store