Cloudflare: Threat control information leak

ID H1:9775
Type hackerone
Reporter bitquark
Modified 2015-06-20T01:09:19


The information displayed on the threat control page is retrieved using AJAX calls to the API, however the access token (atok) which is sent along with the requests is not checked by the receiving end. In addition, a callback function name can be supplied to the API.

Combined, these factors allow an attacker to retrieve all threat control information from the victim as they pass by any attacker-controlled site.

I've put together a quick proof-of-concept which snarfs and displays the Trust and Block lists: