[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Tapplock api multiple vulnerabilities

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Tapplock api multiple vulnerabilities
From: Vangelis Stykas <evstykas@xxxxxxxxx>
Date: Fri, 15 Jun 2018 19:00:42 +0300

The server http://api.tapplock.com/ which servers as the api server for the 
tapplock smart lock is vulnerable to multiple authorization bypasses allowing 
horizontal escalation of privileges which could lead to the disclosure of all 
the info of all users and  total compromise of every lock. The attacker could 
gain access to any lock, and retrieve PII (email and street address) of any 
user.
There is a full write up available at : 
https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025
 
<https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025>


Details

Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10
http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10
http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10
Vulnerable  parameter: email


Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10
http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10
http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10
Vulnerable parameter: email

Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10
http://api.tapplock.com/api/v1/unlock_records/bluetooth/{userUuid}?page=1&size=10
http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10
Vulnerable parameter: userUuid

Attack Vector: HTTP POST
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/users
http://api.tapplock.com/api/v1/locks
http://api.tapplock.com/api/v1/shareable_users
http://api.tapplock.com/api/v1/shares
http://api.tapplock.com/api/v1/finger_owners
http://api.tapplock.com/api/v1/fingers
http://api.tapplock.com/api/v1/fingers/actions/check
http://api.tapplock.com/api/v1/unlock_records/bluetooth
Vulnerable parameter: All the parameters that are posted on the json payload 
are not checked.


Attack Vector: HTTP PATCH
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/users
http://api.tapplock.com/api/v1/locks
http://api.tapplock.com/api/v1/shareable_users
Vulnerable parameter: All the parameters that are posted on the json payload 
are not checked.

Attack Vector: HTTP DELETE
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through 
user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify 
information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{lockId}
http://api.tapplock.com/api/v1/finger_owners/{uuid}
http://api.tapplock.com/api/v1/shareable_users/{shareableUserId}
http://api.tapplock.com/api/v1/shares/{shareId}
http://api.tapplock.com/api/v1/fingers/{fingerprintId}

Vulnerable parameter: All the parameters in {} are vulnerable.

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Unserialization vulnerability in Redirection could allow admin to execute arbitrary code in some circumstances (WordPress plugin)
Next by Date: [FD] CA20180614-01: Security Notice for CA Privileged Access Manager
Previous by thread: [FD] Unserialization vulnerability in Redirection could allow admin to execute arbitrary code in some circumstances (WordPress plugin)
Next by thread: [FD] CA20180614-01: Security Notice for CA Privileged Access Manager
Index(es):
- Date
- Thread