The server http://api.tapplock.com/ which servers as the api server for the tapplock smart lock is vulnerable to multiple authorization bypasses allowing horizontal escalation of privileges which could lead to the disclosure of all the info of all users and total compromise of every lock. The attacker could gain access to any lock, and retrieve PII (email and street address) of any user. There is a full write up available at : https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025 <https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025>
Details Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10 http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10 http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10 Vulnerable parameter: email Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10 http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10 http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10 Vulnerable parameter: email Attack Vector: HTTP GET Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10 http://api.tapplock.com/api/v1/unlock_records/bluetooth/{userUuid}?page=1&size=10 http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10 Vulnerable parameter: userUuid Attack Vector: HTTP POST Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/users http://api.tapplock.com/api/v1/locks http://api.tapplock.com/api/v1/shareable_users http://api.tapplock.com/api/v1/shares http://api.tapplock.com/api/v1/finger_owners http://api.tapplock.com/api/v1/fingers http://api.tapplock.com/api/v1/fingers/actions/check http://api.tapplock.com/api/v1/unlock_records/bluetooth Vulnerable parameter: All the parameters that are posted on the json payload are not checked. Attack Vector: HTTP PATCH Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/users http://api.tapplock.com/api/v1/locks http://api.tapplock.com/api/v1/shareable_users Vulnerable parameter: All the parameters that are posted on the json payload are not checked. Attack Vector: HTTP DELETE Prerequisites: Authentication (Authorization Header) CWE: Insecure Direct Object References, Authorization bypass through user-controlled key Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts) Vulnerable query URLs: http://api.tapplock.com/api/v1/locks/{lockId} http://api.tapplock.com/api/v1/finger_owners/{uuid} http://api.tapplock.com/api/v1/shareable_users/{shareableUserId} http://api.tapplock.com/api/v1/shares/{shareId} http://api.tapplock.com/api/v1/fingers/{fingerprintId} Vulnerable parameter: All the parameters in {} are vulnerable.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
