Fabric.io API Permission Apocalypse – Privilege Escalations

What Is Fabric.io?

The Fabric platform is made of three modular kits that address some of the most common and pervasive challenges that all app developers face: stability, distribution, revenue and identity. It combines the services of Crashlytics, MoPub, Twitter and others to help you build more stable apps, generate revenue through the world’s largest mobile ad exchange and enable you to tap into Twitter’s sign-in systems and rich streams of real-time content for greater distribution and simpler identity. And Fabric was built with ease of use in mind.

In Short:

Using fabric SDK one could embed Crashlytics, Login with twitter into their Android/IOS application. Users can manage/track reports from their dashboard at https://fabric.io/dashboard.

The Apocalypse:

We have been testing Fabric.io since it’s release. And we came across a few XSS vulnerabilities , insecure Storage vulnerabilties(Android App) and many privilege escalations. Using this vulnerability one could takeover any organization in fabric.io.

Vulnerability Description:

While in dashboard we could see two type of users:

• Admin – Can Delete Apps, Add members, Delete Members
• Member- Cannot Delete Apps, Cannot Add Members, Cannot Delete Members

On logging into Fabric.io every user gets an access token, this access token along with session cookies are used to authenticate every request. So we checked if the member’s access token can be used to perform admin requests.

We intercepted a delete request from the admin’s profile , Replaced the access token ( X-CRASHLYTICS-DEVELOPER-TOKEN: ) with member’s access token along with the member’s session cookie.

The request looks like:

DELETE /api/v2/organizations/5460d2394b793294df01104a/apps/5496f78544e4b4145000034c HTTP/1.1
Host: www.fabric.io
Connection: keep-alive
Accept: application/json, text/javascript, /; q=0.01
Origin: https://www.fabric.io
X-CSRF-Token: 06MzlRvMNizNQLk9VZWk5pb3LU6PUagNLPdGFQ4HdOg=
X-Requested-With: XMLHttpRequest
X-CRASHLYTICS-DEVELOPER-TOKEN: 0bb5ea45eb53fa71fa5758290be5a7d5bb867e77
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: https://www.fabric.io/settings/apps
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie:

Upon sending the above request we got a 200 status as response and the application was successfully deleted.
We have tried doing the same thing on few other requests :
Adding a user, give admin permission , remove users
Sadly all the requests were vulnerable!

Using this vulnerability a attacker with normal member privileges could have made himself an admin and could have taken over that organization.

Root Cause:

The access tokens issued to the users are bind with scope. A normal user with access token xyz and scope: member_only shouldn’t be able to perform admin actions.
Applications should properly check the scope of the access token before completing any of the requests sent by the user.

* Fabric.io is a twitter acquisition and twitter runs a bug bounty program on https://hackerone.com/twitter.
We have reported all the above mentioned vulnerabilities to twitter and they have been fixed accordingly.
As of now we are holding the 2nd place on twitter’s hall of fame, you can check us out at https://hackerone.com/twitter/thanks.