Recently, a security vulnerability has been discovered in Ourphoto App version 1.4.1 that encompasses insecure direct object reference vulnerabilities in /device/* end-points. This vulnerability exposes sensitive user information, including user_id, device_id, email addresses, and unique frame_token values.

This blog post provides a deep dive into CVE-2022-24187, featuring code snippets, original references, and exploit details. Our goal is to help you understand the vulnerability, its impact, and implement necessary measures to protect your application and its users.

Vulnerability Details

The insecure direct object reference (IDOR) vulnerability is present in the /device/* endpoints of Ourphoto App version 1.4.1. This vulnerability is specifically seen with user_id and device_id, which can be exploited via systematically incrementing or decrementing ID numbers.

Here's an example of an HTTP GET request to the vulnerable endpoint

GET /device/get_devices?user_id=100

By altering the user_id parameter, an attacker can access other users' information

GET /device/get_devices?user_id=101
GET /device/get_devices?user_id=102

This allows malicious actors to view and collect sensitive data such as email addresses and the unique frame_token values of other users.

Access and exploit sensitive information such as email addresses and unique frame_token values.

3. Launch targeted phishing attacks or leverage the stolen information for further malicious activities.

Original References

- CVE: CVE-2022-24187
- NVD: NVD - CVE-2022-24187

To secure your application against CVE-2022-24187, we recommend taking the following actions

1. Update your version of Ourphoto App: Upgrade to the latest version of Ourphoto App with necessary security patches.
2. Implement access controls: Make sure to enforce proper access controls and permissions for end-users' resources.
3. Restrict sensitive information: Limit the exposure of sensitive information such as user_id, device_id, and any associated metadata.
4. Enable monitoring: Continuously monitor your application and user behavior to detect and alert on any suspicious activities.

Conclusion

CVE-2022-24187 is a critical vulnerability in Ourphoto App version 1.4.1 that exposes user_id and device_id through insecure direct object reference vulnerabilities. An attacker can exploit this vulnerability to gain access to sensitive user information, allowing them to carry out further attacks or malicious activities.

Promptly implementing the recommended mitigation steps and ensuring your Ourphoto App is up to date can help protect your application and its users from potential threats. Stay vigilant, and always prioritize the security of your application and user data.

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:21:00 UTC