CVE-2022-24189: User Token Authorization Bypass in Ourphoto App v1.4.1 Allows Unauthorized Access to Sensitive User Data

An improper implementation of the user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points has been discovered, leaving users exposed to potential unauthorized access and modification of their data. This vulnerability can be exploited by unauthorized users to send POST API calls using unique identifiers from other users, increasing the risk of data breaches. In this post, we will explain CVE-2022-24189, show a code snippet demonstrating the vulnerability, and provide information on the potential impact of this vulnerability and how to mitigate it.

Vulnerability Details

CVE-2022-24189 specifically affects Ourphoto App version 1.4.1's /apiv1/* API endpoints. Due to the improper implementation of the user_token authorization header within these endpoints, removing the header's value allows all requests to succeed, completely bypassing authorization and session management. This issue essentially grants an attacker unrestricted access to all user information and data.

Code Snippet

Here's a code snippet demonstrating the vulnerability. An attacker can remove the user_token header value, and all API requests to the Ourphoto App v1.4.1 /apiv1/* endpoints are successful, effectively bypassing any existing authorization protocols:

import requests

url = "https://ourphotoapp.example.com/apiv1/sensitive_endpoint";
headers = {
    'Content-Type': 'application/json',
    'user_token': ''
}

data = {
    'unique_user_id': 'some_user_id',
    'payload': 'sensitive_data'
}

response = requests.post(url, headers=headers, json=data)
print(response.status_code)

By removing the 'user_token' value in the 'headers' dictionary, the bypass is achieved, and the malicious user can access sensitive data without proper authorization.

Exploit Details

An attacker can exploit this vulnerability to enumerate all users' information and data and perform unauthorized POST API calls using other users' unique identifiers. The scenarios that arise can lead to severe consequences such as unauthorized access to sensitive personal information and tampering with stored data. Attackers can also potentially use this information for phishing schemes, causing further damage and harm to users.

Mitigation and Recommendations

To mitigate this issue, developers need to ensure that the user_token authorization header is implemented correctly, and its absence or manipulation should block all API requests. Developers may also consider the following best practices:

1. Strictly enforce authentication and authorization controls for each API endpoint. Deny access by default and only grant access based on specific user roles and permissions.
2. Implement proper user session management. This should include occasional session timeouts, explicit logouts, and cookie management.
3. Conduct regular security testing and code reviews to ensure the correct implementation of security protocols.

Keep up to date with security best practices, such as the OWASP API Security Top 10 Project.

For users, it is always essential to keep their apps updated and follow the guidance provided by app developers to protect their data and privacy online.

Conclusion

CVE-2022-24189 is a critical vulnerability in the Ourphoto App, allowing unauthorized users to bypass the user_token authorization header and access sensitive user data. To protect users and maintain trust in the application, developers must implement proper security measures and adhere to best practices in software development. By addressing these issues proactively, both users and developers can mitigate the growing risks associated with online security threats.

1. CVE-2022-24189 - National Vulnerability Database (NVD)
2. OWASP API Security Top 10 Project

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:20:00 UTC