This bug isn’t fixed yet and it’s on a private program so I can’t disclose the program name and their users data.
The root cause was a fixed Authorization token for every users which led to users’ information disclosure, exploitation of misconfigured CORS, and remotely changing users’ information.
My methodology for testing API endpoints:
Chrome > F12 > network tab > and signup/login to my account.
Most of the endpoints are reflecting over here and I can see the HTTP request and response like which headers are passing and is there any authorization token and origin header is present or not.
So here I begin, I was testing this program using the same above method I created a test account and logged into my account and I was checking for interesting requests and I got “someapi.domain.com” with a nice rest API endpoint which is “/v1/users/my-uid”. So, I was checking the request headers for Authorization header and Origin header both were present I lost my hope.
Because when in the request header Authorization header is present even misconfigured CORS won’t be exploitable. For my confirmation I visited the endpoint along with my UID I was shocked it was showing all my information without the authorization token in a GET based request. I immediately tried to exploit the CORS but I failed due to the authorization token so I logged out of my account to check whether the token gets expired or not and it wasn’t expired. Then I created a second account and took the second account’s uid and replaced with my current uid with the same authorization token and it was showing the second account’s information so I compared both authorization token and I was way surprised it was same so all the users get the same fixed authorization token with different UIDS and ran a brute force via burp intruder and got so many valid UIDS.
The below images show the requests and responses.
Summary: Don’t give up when you see a dead end instead try it to understand whats happening and is the server validating it correctly.
To my luck it got duplicate but it was too fun to find and exploiting it and I learned new things.
NOTE: It’s not fixed yet but when it gets fixed I’ll update this write up with a video poc for clear steps.
I tried hard to write it as a fun read so that no one get bored I hope it won’t bore anyone. ❤