Tapplock Smart Lock Insecure Direct Object Reference

2018.06.18
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

The server http://api.tapplock.com/ which servers as the api server for the tapplock smart lock is vulnerable to multiple authorization bypasses allowing horizontal escalation of privileges which could lead to the disclosure of all the info of all users and total compromise of every lock. The attacker could gain access to any lock, and retrieve PII (email and street address) of any user. There is a full write up available at : https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025 <https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025> Details Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10 http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10 http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10 Vulnerable parameter: email Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10 http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10 http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10 Vulnerable parameter: email Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10 http://api.tapplock.com/api/v1/unlock_records/bluetooth/{userUuid}?page=1&size=10 http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10 Vulnerable parameter: userUuid Attack Vector: HTTP POST Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/users http://api.tapplock.com/api/v1/locks http://api.tapplock.com/api/v1/shareable_users http://api.tapplock.com/api/v1/shares http://api.tapplock.com/api/v1/finger_owners http://api.tapplock.com/api/v1/fingers http://api.tapplock.com/api/v1/fingers/actions/check http://api.tapplock.com/api/v1/unlock_records/bluetooth Vulnerable parameter: All the parameters that are posted on the json payload are not checked. Attack Vector: HTTP PATCH Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/users http://api.tapplock.com/api/v1/locks http://api.tapplock.com/api/v1/shareable_users Vulnerable parameter: All the parameters that are posted on the json payload are not checked. Attack Vector: HTTP DELETE Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{lockId} http://api.tapplock.com/api/v1/finger_owners/{uuid} http://api.tapplock.com/api/v1/shareable_users/{shareableUserId} http://api.tapplock.com/api/v1/shares/{shareId} http://api.tapplock.com/api/v1/fingers/{fingerprintId} Vulnerable parameter: All the parameters in {} are vulnerable.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top