I annoyed someone on Twitter yesterday. Their response was to hack the Twitterrudel App and create two new accounts, one with admin rights. How is this even possible?
And how can I prevent this in the future?
The hacker (flimosch@systemli.org) was so nice to send an email with the issues.
I’m interested in IT security and only have a brief overview of the whole thing
looked, so these are probably not all the gaps.
In the list, items are ordered by subjective relevance (such as
easy to exploit and what impact):
1 Information disclosure (accidental disclosure of user data)
1.1 Your app voluntarily provides all data that users have provided,
out. When the page “das Twitterrudel” is called up, the
Server EVERYTHING that users have entered about themselves. This includes
Email address, full name, sha-256 hash of password. In some
In some cases, the residential address, telephone number, etc. is added.
You can see this by opening your browser’s devtools
and after the POST requests
“https://apps.fliplet.com/v1/data-sources/540338/data/query?appId=27927&pageId=631177&all=”
are looking for
1.2 Your app gives all when a message is to be composed
E-mail addresses and usernames of the users out. This is not so relevant
because only e-mail and username are affected
2 Cross Site Scripting (unauthorized addition of code to the website)
An attacker can get into the “What do I like”/“What do I hate” part of their own
Add source code to profiles, which could lead users to phishing websites
or similar, or attackers can use this to help users
install viruses on older/non-updated systems
(Cross-Site-Scripting – Wikipedia).
To achieve that, an attacker can send a request to the server
send to change their own profile and the (malicious) code
put it in the “what do I like” or “what do I hate” part. If now
when a user clicks on the profile, the code runs automatically.
3 users can give themselves admin rights
Your website checks the values to which a profile is updated
should not. In concrete terms, this means that users can give themselves admin rights
and so can remove posts etc. So if an attacker dem
server sends the request to update something in the profile, the
Attackers add that the account is now an admin.
Hi Birgit
Sorry to hear your app was used in a way you didn’t want. Have you applied the security features Fliplet offers? https://help.fliplet.com/app-security/
Hi Birgit,
Adding some robust data security rules can help prevent this. See this article for help: https://help.fliplet.com/recommended-minimum-data-source-security-rules/
If you need assistance to understand what security rules to apply please let us know.
Thanks,
Deb
Yes. How can I turn off that users can not only look up others on the app (intended) but can go into the database like this.
1.1 Your app voluntarily provides all data that users have provided,
out. When the page “das Twitterrudel” is called up, the
Server EVERYTHING that users have entered about themselves. This includes
Email address, full name, sha-256 hash of password. In some
In some cases, the residential address, telephone number, etc. is added.
You can see this by opening your browser’s devtools
and after the POST requests
“https://apps.fliplet.com/v1/data-sources/540338/data/query?appId=27927&pageId=631177&all=”
are looking for
And how exactly do I turn off this
1.2 Your app gives all when a message is to be composed
E-mail addresses and usernames of the users out. This is not so relevant
because only e-mail and username are affected
And how do I avoid this
2 Cross Site Scripting (unauthorized addition of code to the website)
An attacker can get into the “What do I like”/“What do I hate” part of their own
Add source code to profiles, which could lead users to phishing websites
or similar, or attackers can use this to help users
install viruses on older/non-updated systems
(Cross-Site-Scripting – Wikipedia).
To achieve that, an attacker can send a request to the server
send to change their own profile and the (malicious) code
put it in the “what do I like” or “what do I hate” part. If now
when a user clicks on the profile, the code runs automatically.
And how do I avoid this
3 users can give themselves admin rights
Your website checks the values to which a profile is updated
should not. In concrete terms, this means that users can give themselves admin rights
and so can remove posts etc. So if an attacker dem
server sends the request to update something in the profile, the
Attackers add that the account is now an admin.
Hi Birgit,
A couple of things to help ensure your app is secure.
- When building an app with Fliplet, it is essential that you apply the correct level of security to your data sources. This is the only way to ensure people cannot access data they are not allowed to see. I recommend taking some time to go through the following article to get a better understanding of what is required to prevent unauthorized access to your app. https://help.fliplet.com/recommended-minimum-data-source-security-rules/
To start with, it’s definitely worth having a quick look over your account to ensure you fix the issues that enabled this user to gain unauthorised access. Step 1 - Review all data sources and check the security rules - more help on that here and here. Step 2 - Set up or change the rules to ensure only the correct access is enabled.
If you need support, we can help you to review the security. Drop us an email on support@fliplet.com with details of your app and what data sources in your app you want us to review.