Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneDeepblue29H1:2129769
HistoryAug 31, 2023 - 4:04 a.m.

FetLife: fetlife.com/signup_step_profile expose access_token of mapbox.com

2023-08-3104:04:55
deepblue29
hackerone.com
18
fetlife
registration
mapbox

7.2 High

AI Score

Confidence

Low

JSON

Hi fetlife, I’m investigate on registration step on your site, in registration step at https://fetlife.com/signup_step_profile

when user type in field β€œprivate_location_name”

{F2652527}

it use frontend call to api.mapbox.com directly thus expose access_token, I was able to call it directly via command line:

curl 'https://api.mapbox.com/geocoding/v5/mapbox.places/ho%20chi.json?limit=10&types=place%2Clocality&autocomplete=true&language=en&access_token=pk.eyJ1IjoiZmV0bGlmZSIsImEiOiJjazhwMjNrajUwN2luM2xwcmxmMDNoajFoIn0.vge5GmfaG4OTyth8uS_N6w' \
  -H 'sec-ch-ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"' \
  -H 'Referer: https://fetlife.com/' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua-platform: "Linux"' \
  --compressed

Upon having this access_token, I could freely use your token on my site, even though fetlife have Referer: https://fetlife.com/, I could navigate around that easily using direct http call from my server and inject Referer header as https://fetlife.com/.

Another issue (not security related), this request is for validating attribute unhandle email case yet :

curl 'https://fetlife.com/users/attributes/[email protected]' \
  -H 'sec-ch-ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"' \
  -H 'Accept: application/json' \
  -H 'Referer: https://fetlife.com/signup_step_profile' \
  -H 'X-CSRF-Token: WbVVfdWFF2nIoWJ7yJHpjVMtt1i1_VFMTpDyq4dRI72NG3onq_MOtQmhHXD6nlD-aKAYoqpvAhCAWu8z6zf_qQ' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua-platform: "Linux"' \
  --compressed

500 Internal Server Error
If you are the administrator of this website, then please read this web application's log file and/or the web server's log file to find out what went wrong.%

Another issue I see there is two authenticity_token on registration hidden input, I believe this is a mistake (?)

{F2652528}

Impact

exposing access_token on mapbox give me freely use of your resources (I use, you pay).

7.2 High

AI Score

Confidence

Low

JSON