Rate Limit issues that can lead to disclosing some of Spreaker user’s data
Seven months ago, I submitted a Bruteforce / Rate Limit issue to Spreaker, which allows me to leak a mass user’s Full Name, Location, Birthday, Email, Followers count, and also some of its privacy settings.
This endpoint doesn’t have any Rate Limit or Captcha Protection. However, Spreaker Bug bounty does not accept rate limit issue, and it seems that this issue needs attention because it can leak mass user information. What is more disappointing is when I send a message to their support in their Twitter Page is that they ask me to report it again so, I submitted it for the second time. That time I emailed both support@ and their security@ email and still no response from them until now.
PROOF OF CONCEPT
The Vulnerable URL I found which leaks User Information:
The XXXXXXX contains seven digits that can be brute-forced quickly, and this endpoint doesn’t come up with any form of rate limitations so that an attacker can engage ten million requests. He/she can gather all publicly displayed emails, Full names, birthday, location, number of user’s followers, and even some of its privacy settings.
Take Note that an attacker doesn’t need to be authenticated to access this endpoint means anyone is open to gather Spreaker’s User’s data.
I created a small python script to automate this vulnerability. You can see the exploit in my GitHub repository, and also my Video Proof Of Concept on my youtube. The vulnerability still exists, and this issue is disclosed based on the 90-day disclosure some-kind-of-rule (idk).
I don’t want to say that Spreaker doesn’t care about personal information, but this issue needs attention to fixed right away.
June 17, 2019 — Report submitted thru email@example.com
July 23, 2019 — I ask for an acknowledgment of the issue or just an update. No Response.
July 24, 2019 — Contact their support in Spreaker Twitter Page.
July 25, 2019 — Replied if I can submit it again and send it also in firstname.lastname@example.org
July 25, 2019 — Submitted again to support@ and security@ email.
January 23, 2020 — Still no response, and I decided to disclose now.