Hey Developer, Give me your API keys.!!
TL;DR
This is just another friendly article, without any secret “Ninja” techniques..!!
Credits : thanks to security team of Infoziant Labs for consistent support..!
DISCLAIMER : In this blog post I am not gonna talk about any advance stuff ,neither any secret techniques, this blog is all about , how developers sometimes make silly mistakes..(after all developers are human too :P )!!
Now, some of you might say , :
Okay, okay . Hold on ..!! and read the full article..!!
Every year we notice data breaches,hacks,ransomware attacks on big IT giants , In most of the hacks , the reasons are Server side system vulnerabilties,Client side flaws of the application, and social engineering too..!!
But there are few cases in which the reasons of these kind of attacks are just some silly mistakes made by developers, Like : leaving their secret API keys,AWS secret Keys,Mysql credentials,their slack channel’s credentials in their public respositories,
Later on in this post I will show you one of my recent findings , which illustrates how I found a secret api key of Crowdin’s test project , and succesfully pwned their test project. [The issue is Fixed now]
What worse can be done..!
In the past I had seen some cases, where developers left hardcoded credentials in android application of their company , which later gave me access to their admin dashboard,
Some developers encode the api keys using Base64, and think the attacker will not be able to find the API keys, I mean are they serious, Base64 encoding is not the solution to these issues, Base64 encoded API keys can easily be decoded..!!
CREDITS TO “Rojan Rijal” for his blog post : https://sites.google.com/securifyinc.com/rojanrijal/finding-leaked-sensitive-data
Now let me narrate an interesting incident..!
“How I got complete access to Crowdin’s testproject[RUBYTESTAPI]” ..!!
What Crowdin is ?
“Crowdin is a localization management platform designed to automate localization within agile software development. With more than 1,000, 000 user accounts, platform is used by development companies in 140 countries”.
‘-for more info about crowdin read this : https://www.crunchbase.com/organization/crowdin-'
I decided to test crowdin for vulnerabilties , because they offer cool goodies pack for valid vulnerabilties..!!
So I started finding some code level bugs in their github respositories , Soon I ended up with a page that is discosing their secret API key , here : https://github.com/crowdin/crowdin-api/blob/master/bin/console
api_key = ‘79323cdcd6b4566154c4fb9c6bbd3be1’
project_id = ‘rubytestapi’
base_url = ‘https://api.crowdin.com'
Note : This API key is now expired,
As you can see above I got api_key and project_id .At that moment ,I have no idea , How I can use this api key for accessing their project.. So I started reading their API docs here : https://support.crowdin.com/api/api-integration-setup/
Soon I found that I can takeover their project : “rubytestapi” , using API_key,
After reading their API docs , I am all set to takeover their test project.
For enumerating Project Details of their project “rubytestapi” , the request will be :
GET https://api.crowdin.com/api/project/{project-identifier}/info?key={project-key}
NOTE : the project-identifier is “rubytestapi” and the project-key is “79323cdcd6b4566154c4fb9c6bbd3be1” ,
When I sent that GET request using burp , I got a 200 OK response , and complete details of their project(“rubytestapi”)
POC :
Now what can I do with their project (“rubytestapi”)
I can add files,delete files,upload translation,check translation status, and many other things (see here : https://support.crowdin.com/api/info/), In short, I had complete access to their project,
Soon after the discovery , I first sent an email to crowdin to confirm that the rubytestapi project is owned by them or not. And within few minutes I got this response :
So it is clear that the project is owned by crowdin..!!
, I reported the issue to them along with Proof of Concept, They triaged and fixed the report within 1 hour(Kudos to them for their awesome response time)
I was rewarded with their Goodies pack , and got listed in their hall of fame :
MESSAGE TO ALL DEVELOPERS OUT THERE : “BE CAREFUL WHILE HANDLING API KEYS”
Also check out these awesome blogposts,
https://sites.google.com/securifyinc.com/rojanrijal/finding-leaked-sensitive-data
https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724
want to chat.? connect with me
Twitter : @devanshwolf
Facebook : Devansh Batham
./rgds
Devansh Batham(Infoziant Labs)
Have some penetration testing or security projects ? Give a shout to Infoziant Labs(Tony@infoziant.com)
