FirstBlood-#146 — Leak PII through the events API
This issue was discovered on FirstBlood v1
On 2021-05-10, jomar reported:
With my friend Serizao, after some research I was able to find a way to leak user information through the event API.
By going to the page hackerback and observing its source code, it is possible to see that under certain conditions a request is made on the page
When you go to this page, you simply get a 200 response but with empty content, so the page does exist but something is missing to query it.
By looking at the requests made when using the application and after trying different parameters, methods etc. I could see that all the other requests use the header
X-SITE-REQ: permitted in order to make the request.
By adding this header, it is possible to have access to a first version of the response, it is then possible to observe that the event also has an
old_eventID, using this ID, it is possible to have access to PII
- An unauthenticated standard user is able to access PII
- This endpoint should certainly not be accessible to a standard user, it would be necessary to add an additional header with an API key or perform a check on the cookie to verify that the user is authenticated on the administration space and has the necessary privileges.
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.