This is an elaboration for the authorization bypass vulnerability I have reported to Etsy through their bug bounty program.
The vulnerability allows an attacker to disclose purchase data of users. For example, it allows disclosing who bought what from whom with what feedback. It allows also disclosing who is buying what right now. The vulnerability exists in the Etsy API. These are the steps that I have followed to discover the finding:
A code snippet from the PHP app that uses OAuth will be like:
The generated HTTP request will be something like:
GET /v2/users/12345678/transactions?oauth_consumer_key==abcdefgc12345678abcdefg123456789&oauth_signature_method=HMAC-SHA1&oauth_nonce=102215147874bdd40d6.39711914&oauth_timestamp=1363642187&oauth_version=1.0&oauth_token=abcdefgc12345678abcdefg123456789&oauth_signature=abcdABCD12345qYNyklT9LeEo%3D HTTP/1.1
Now, let's hack. The method is expecting me to pass the user id which is mapped with the OAuth token retrieved from Etsy for such user. What I did is passing a user id of another user while calling the method by my PHP app. For example, instead of sending 12345678, I sent 87654321.
Normally, it should return an "unauthorized access" response. Well, it did not. The response contained data. The result was a JSON response that correlated buyer_user_id, seller_user_id, listing_id (item
purchased), buyer_feedback_id.
Below is a sample for how the response would look like:
The vulnerability allows an attacker to disclose purchase data of users. For example, it allows disclosing who bought what from whom with what feedback. It allows also disclosing who is buying what right now. The vulnerability exists in the Etsy API. These are the steps that I have followed to discover the finding:
First, I followed the steps
in http://www.etsy.com/developers/documentation
to acquire an API key in order to be able to call the Etsy API methods
Then, I navigated through the available API methods and I found the method "findAllUserBuyerTransactions"
(Its reference is available on http://www.etsy.com/developers/documentation/reference/transaction#method_findalluserbuyertransactions
)
This method retrieves transactions
information of buyers. It requires OAuth authentication in order to retrieve data of a certain user. The API method should be called by sending a request to the API URL: http://openapi.etsy.com/v2/users/:user_id/transactions
while entering the user id of the currently authenticated user and using OAuth
token given from Etsy for such user. I developed a simple PHP app to call the API method while following the guidelines over http://www.etsy.com/developers/documentation/getting_started/oauth .
A code snippet from the PHP app that uses OAuth will be like:
$data = $oauth->fetch("https://openapi.etsy.com//
v2/users/12345678/transactions",
null, OAUTH_HTTP_METHOD_GET);
$json = $oauth->getLastResponse();
print_r(json_decode($json, true));
The generated HTTP request will be something like:
GET /v2/users/12345678/transactions?oauth_consumer_key==abcdefgc12345678abcdefg123456789&oauth_signature_method=HMAC-SHA1&oauth_nonce=102215147874bdd40d6.39711914&oauth_timestamp=1363642187&oauth_version=1.0&oauth_token=abcdefgc12345678abcdefg123456789&oauth_signature=abcdABCD12345qYNyklT9LeEo%3D HTTP/1.1
User-Agent: PECL-OAuth/1.2.2
Host: openapi.etsy.com
Accept: */*
Now, let's hack. The method is expecting me to pass the user id which is mapped with the OAuth token retrieved from Etsy for such user. What I did is passing a user id of another user while calling the method by my PHP app. For example, instead of sending 12345678, I sent 87654321.
Normally, it should return an "unauthorized access" response. Well, it did not. The response contained data. The result was a JSON response that correlated buyer_user_id, seller_user_id, listing_id (item
purchased), buyer_feedback_id.
Below is a sample for how the response would look like:
{"count":2,"results":[{"transaction_id":33,"title":"Minnie
Mouse Dress","description":"This precious Minnie Mouse
dress is perfect for your Minnie birthday party or a trip to meet Mrs. Mouse
herself.","seller_user_id":346,"creation_tsz":12545,"tags":["clothing","children","dress","costume","girl“],"materials":["polyester","cotton"],"image_listing_id":157207512,"listing_id":456,"seller_feedback_id":null,
"buyer_feedback_id":34567,"url":"http:\/\/www.etsy.com\/transaction\/123","variations..}
At the end, we can have a
table like the one below
Buyer
user id
|
Seller user id
|
Listing id
|
Buyer feedback id
|
876XXXX
|
345XXXX
|
890XXX
|
245XXXX
|
876XXXX
|
789XXXX
|
567XXX
|
567XXXX
|
The ids in the table can be
mapped to names of buyers, sellers and products in addition to feedback
messages with API methods that do not require OAuth tokens.
I kept searching for other methods that might have problems, and I found another API method that had
a quite similar vulnerability which is the "getUserCart"
method (available on http://openapi.etsy.com/v2/users/users/:user_id/carts/:cart_id)
Such method is mainly designed to
retrieve cart info for a certain user. Such method requires an OAuth token. Again, I played with the user id and it worked.
However, this seemed to be hard to exploit because the attacker will need to predict cart id for a certain user id in order to work. At least this is what I thought at
the beginning. The fact is that the attacker did not need to supply a valid user id
at all. He would just supply a valid cart id and it will get the info of such cart
regardless of the user id. I was happy with that.
Etsy fixed the issues, rewarded
me, sent me a T-Shirt and added my name to
their hall of fame list over http://www.etsy.com/help/article/2463 . Etsy is one of the best bug bounty programs I have participated in. They are fast and professional.
Bug bounty program rules for Etsy is available on http://www.etsy.com/help/article/2463
Bug bounty program rules for Etsy is available on http://www.etsy.com/help/article/2463
No comments:
Post a Comment