Lucene search

K
packetstormAndrey StoykovPACKETSTORM:171323
HistoryMar 13, 2023 - 12:00 a.m.

Fastly Secret Disclosure

2023-03-1300:00:00
Andrey Stoykov
packetstormsecurity.com
147
`Correspondence from Fastly declined to comment regarding new discovered  
vulnerabilities within their website.  
  
Poor practices regarding password changes.  
  
  
1. Reset user password  
2. Access link sent  
3. Temporary password sent plaintext  
  
  
// HTTP POST request  
  
POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
{"g-recaptcha-response":"03AFY_a8UY[...]"}  
[...]  
  
  
// HTTP response  
  
HTTP/2 200 OK  
Cache-Control: no-store  
[...]  
  
  
// HTTP GET request  
  
GET  
/auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d...  
HTTP/2  
Host: manage.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
  
// HTTP response  
  
HTTP/2 200 OK  
Cache-Control: public, max-age=60, stale-if-error=1209600,  
stale-while-revalidate=600  
[...]  
  
  
  
Weak Pwd requirements  
  
1. Login to user account  
2. Click Account -> Personal Profile  
3. Select Change Password -> Current Password -> FastLy%2540!1M  
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P  
5. Select Sign Out Option  
6. Login with new password  
  
  
// HTTP POST request  
  
POST /oauth/password HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%  
40gmail.com  
[...]  
  
  
// HTTP response  
  
HTTP/2 401 Unauthorized  
Status: 401 Unauthorized  
Cache-Control: no-store  
Content-Type: application/json  
[...]  
  
[...]  
{"msg":"Token 3kzBPKXbsbtZBl9..."}  
[...]  
  
  
// HTTP POST request  
  
POST /oauth/access_token HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]  
  
[...]  
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%  
40gmail.com  
[...]  
  
  
// HTTP response  
  
HTTP/2 200 OK  
Status: 200 OK  
[...]  
  
[...]  
{"id":"7IU53vPHZ...",  
"name":"manage.fastly.com browser session",  
"user_id":"3lWtx49FrV...",  
"customer_id":"535znFHg...",  
[...]  
"token_type":"bearer",  
"scope":"global",  
"services":[],  
"access_token":"qwdBQF43O..."}  
[...]  
  
`