6

One of our suppliers had a weakness on the secure section of his webpage. By changing ID's in the URL, we could see data that did not belong to us.

For example:

Showed a contract and a car, but so did

and putting other numbers gave other cars. Problem was, with most numbers, not our cars...

We signaled the problem and they fixed it. The URLs are now like this:

 CAR 
 OLD URL 
 NEW URL

 1HTR701    
 https://supplier.org/showItem.do?contract.id=102210199&car.id=102334247
 https://supplier.org/showItem.do?values=Vod4UnO5hFROmmVBaiQWd9w8pkqti5OvrxjomCo9yNNSinKqUxYcUA%0D%0A

 1HTR801    
 https://supplier.org/showItem.do?contract.id=102210200&car.id=102334248
 https://supplier.org/showItem.do?values=Vod4UnO5hFROmmVBaiQWd7GlAD4zU43Z_yemm03qs7_vROna1Fd3GA%0D%0A

 1HTR802    
 https://supplier.org/showItem.do?contract.id=102210201&car.id=102334249
 https://supplier.org/showItem.do?values=Vod4UnO5hFROmmVBaiQWd38BWIjnkFKm8qQL3Ha-ibFo_kbZuctRLg%0D%0A

 1HTR803    
 https://supplier.org/showItem.do?contract.id=102210202&car.id=102334250
 https://supplier.org/showItem.do?values=Vod4UnO5hFROmmVBaiQWd0MJCJ7x4spAWvmXjtYiCibBrPzpvP3MnQ%0D%0A

But I'm confused as to how they fixed this. Especially the returning part Vod4UnO5hFROmmVBaiQWd makes me think this is some kind of MD5 or other hashing. I'm just hoping the other parts are not "guessable" by someone else.

Any ideas how the new URLs are constructed? Does it appear safe?

Anders
  • 64,406
  • 24
  • 178
  • 215
Konerak
  • 3,898
  • 2
  • 16
  • 16
  • 2
    I would hazard a guess that the second half is an HMAC and the first half ( Vod4UnO5hFROmmVBaiQWd a.k.a. 5687785273b984544e9a65416a241677) is the HMAC key. – Little Code Jun 20 '16 at 13:32
  • 1
    For the old urls, did you go to the site and manually increment the numbers in the url? If so, at least one person has been jailed for doing the same thing to AT&T. – Stephen Spencer Jun 20 '16 at 13:44
  • Question (since you didnt/shouldnt post the supplier.org url) do the old links still work? They added a new REST interface but did they disable the old one? – CaffeineAddiction Jun 20 '16 at 14:13
  • @LittleCode: I'll have to study a bit on what that means. Is having the "key" in the URL a bad thing then? – Konerak Jun 20 '16 at 14:22
  • @StephenSpencer: that's scary. My official story is that I copy-pasted a link into outlook but a few digits dropped and when I later followed the link, I was surprised I got a different car, so I promptly emailed the supplier notifying them because I was scared someone else could make the same mistake and stumble upon my data by accident too. – Konerak Jun 20 '16 at 14:24
  • @CaffeineAddiction: I kept the old links and some screenies. They don't work anymore, so atleast they fixed that! Thanks for thinking along. – Konerak Jun 20 '16 at 14:24
  • 1
    There's a URL-encoded line feed at the end of the "values" string. Looks like real professional web programming here. I'd give them a lot of trust! – billc.cn Jun 20 '16 at 14:47
  • 8
    The real issue here is not that incrementing an ID returns a different item (that's to be expected), the issue is that what appears to be sensitive data is shown without asking the user to authenticate, and that is not fixed by their "solution". – André Borie Jun 20 '16 at 15:08
  • 1
    @AndréBorie exactly, it would be interesting to see if one of the new links was to be provided to a different user account; would it still work and return the car. – GreatSeaSpider Jun 20 '16 at 15:33
  • 2
    For the record, the [AT&T case](http://arstechnica.com/tech-policy/2012/11/internet-troll-who-exploited-att-security-flaw-faces-5-years-in-jail/). – WoJ Jun 20 '16 at 18:52

1 Answers1

7

Unless the site now has access controls on the URLs (requiring that you first authenticate - prove your identity - and then that the server checks whether your identity is authorized to view that URL), no, it is not safe. Obvious problems include people sharing links through a site like this (without redacting the domain), browsers remembering the URL in their histories (on a shared computer), or somebody (insider or outsider) dumping and sharing a list of valid URLs.

The term used for this type of security vulnerability is a "direct object reference", when inputting an object's ID lets you access the object even if you wouldn't normally have access. The only true solution to the problem is proper access controls. Merely making it hard to guess the object ID doesn't solve the problem, although in the short term it may make exploitation harder. Putting secrets in the URL doesn't really solve anything; you need a system that relies on actual credentials.

Now, as for the enumeration: as the comments point out, that's a very suspect encoding. The repeated prefix indicates that, whatever else they're doing, they aren't using a secure hash (or not using it correctly). Given that they're presumably trying to map from a URL back to an object identifier, it's probably a reversible encoding anyhow.

Encrypting the URL query string with a secret key known only to the server will produce hard-to-guess links, although depending on the type of encryption used it may still be possible to flip bits and produce new valid URLs without knowing the encryption key (they'd need to add an integrity check, like an HMAC or an authenticated encryption scheme, to prevent this). Encryption, by itself, does not prevent an attacker from tampering with the ciphertext (and with some encryption schemes that tampering is easy). In any case, such a system is dependent on the key remaining a secret, making a single point of failure.

Encrypting the query string using a known key - for example, if the key is in that unchanging prefix - is completely broken. Figuring out the crypto scheme used would take a little bit of (educated) guessing and checking, but the space of possible systems would take very little time to search. Once it's known, crafting valid URLs is trivial.

The least-bad way to do this (there's no good way; for anything sensitive you simply must use authentication and access controls) would be to store reasonably-long (64+ bits; GUIDs are often used here), cryptographically-secure random identifiers for every row in the database. Then encrypt them, with a server-side secret key, before turning them into URLs. This avoids single points of failure (the random IDs are useless without the key, and vice-versa) for compromising the whole list of valid URLs, and also means you could do things like periodically changing the ID tokens to invalidate old URLs for those objects, or changing the encryption key to invalidate all old URLs. It'd be secure against bit-flipping the ciphertext because there's no way to say "assume this part is a number, then try flipping bits to produce another valid number"; the valid combinations of bits are an un-guessably-small part of the search space of possible identifiers, because the identifiers aren't sequential and are long enough that only an infinitesimal fraction of them will ever be used.

But, I must emphasize again: this is a much worse idea than just putting proper authentication and authorization in place. If you've done that, you can safely stick to simple incrementing numeric identifiers because guessing the next value doesn't gain an attacker anything.

CBHacking
  • 40,303
  • 3
  • 74
  • 98