Rate Limit issues that can lead to disclosing some of Spreaker user’s data

Ace Candelario
Jan 23 · 2 min read

Seven months ago, I submitted a Bruteforce / Rate Limit issue to Spreaker, which allows me to leak a mass user’s Full Name, Location, Birthday, Email, Followers count, and also some of its privacy settings.

This endpoint doesn’t have any Rate Limit or Captcha Protection. However, Spreaker Bug bounty does not accept rate limit issue, and it seems that this issue needs attention because it can leak mass user information. What is more disappointing is when I send a message to their support in their Twitter Page is that they ask me to report it again so, I submitted it for the second time. That time I emailed both support@ and their security@ email and still no response from them until now.

PROOF OF CONCEPT

The Vulnerable URL I found which leaks User Information:

https://api.spreaker.com/user/XXXXXXX/fans?c=en_US&escape=true&user_stats=true&page=1&max_per_page=100

The XXXXXXX contains seven digits that can be brute-forced quickly, and this endpoint doesn’t come up with any form of rate limitations so that an attacker can engage ten million requests. He/she can gather all publicly displayed emails, Full names, birthday, location, number of user’s followers, and even some of its privacy settings.

Take Note that an attacker doesn’t need to be authenticated to access this endpoint means anyone is open to gather Spreaker’s User’s data.

I created a small python script to automate this vulnerability. You can see the exploit in my GitHub repository, and also my Video Proof Of Concept on my youtube. The vulnerability still exists, and this issue is disclosed based on the 90-day disclosure some-kind-of-rule (idk).

I don’t want to say that Spreaker doesn’t care about personal information, but this issue needs attention to fixed right away.

TIMELINE

June 17, 2019 — Report submitted thru security@spreaker.com

July 23, 2019 — I ask for an acknowledgment of the issue or just an update. No Response.

July 24, 2019 — Contact their support in Spreaker Twitter Page.

July 25, 2019 — Replied if I can submit it again and send it also in support@spreaker.com

July 25, 2019 — Submitted again to support@ and security@ email.

January 23, 2020 — Still no response, and I decided to disclose now.

UPDATE:

https://medium.com/@Spreaker/hi-ace-e01dc32be932

*flies away*

Written by

Bug Bounty Hunter | Security Analyst | Penetration Tester

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade