• Services
    • [Tabs]
      • Application Security
        • [Column]
          • SERVICES
          • Web Application Penetration Testing
          • Mobile Application Pentesting
          • Web Services & API Assessment
          • Secure Code Review
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Network Security
        • [Column]
          • SERVICES
          • Network Vulnerability Assessment and Penetration Testing
          • VoIP Vulnerability Assessment & Penetration Testing
          • Wireless Penetration Testing
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Cloud Security
        • [Column]
          • SERVICES
          • Cloud Auditing & Hardening for AWS
          • Cloud Auditing & Hardening for Azure
          • Cloud Auditing & Hardening for GCP
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Threat Simulation
        • [Column]
          • SERVICES
          • Red Team Assessment
          • Red Team VS Blue Team
          • Social Engineering Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Container Security
        • [Column]
          • SERVICES
          • Docker CIS Benchmark Hardening
          • Container Vulnerability Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Compliance
        • [Column]
          • SERVICES
          • ISO 27001 Auditing
          • PCI DSS Prepardness
          • HIPAA Auditing
          • GDPR Implementation
          • SOC2 Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
  • Solutions
    • [Column]
      • SOLUTIONS
      • Managed Security
      • DevSecOps
      • CloudSnoop
      • Strategic Security Solutions
    • [Column]
      • RESOURCE
      • [Dynamic Posts]
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • [Tabs]
      • About
        • [Column]
          • Journey Timeline
          • timeline-image
        • [Column]
          • Mission,Vision, Values
          • mission-vision-image
      • Media
        • [Column]
          • Media title
        • [Column]
          • Media Image
      • Partners
        • [Column]
          • Partners title
        • [Column]
          • Partners Image
      • Careers
        • [Column]
          • Careers title
        • [Column]
          • Careers Image
  • Company
    • About us
    • Partners
    • Careers
WeSecureApp Logo (2)
Menu
  • Services
      • Application Security
          • SERVICES
          • application securityWeb Application Penetration Testing
          • Mobile Application Penetration TestMobile Application Pentesting
          • Web Services & API AssessmentWeb Services & API Assessment
          • application security - secure code reviewSecure Code Review
          • RESOURCES
          • phishing activity How contact forms can be exploited to conduct large scale phishing activity?
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • red team assessment versus penetration testingRed Team Assessment versus Penetration Testing
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Cloud Security Threats Cloud Security Threats
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Hire a Red Team7+ Major Reasons to Hire a Red Team to Harden Your App Sec
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • selecting-penetrationtesting How to Choose a Penetration Testing Vendor Wisely?
      • Compliance
          • SERVICES
          • global–strategyISO 27001 Auditing
          • global_finance_sterlingPCI DSS Prepardness
          • medical_1_ (1)HIPAA Auditing
          • gdprGDPR Implementation
          • hippa-controlSOC2 Assessment
          • RESOURCES
          • WFH model Essential compliance for a secure WFH model
  • Solutions
      • SOLUTIONS
      • secure–data (1) (1)Managed Security
      • devsecops-logoDevSecOps
      • cloudsnoopCloudSnoop
      • SSS-logoStrategic Security Solutions
      • RESOURCE
      • worst passwordsWorld’s Worst Passwords: Is it time to change yours?
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
Contact

Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
      • GDPR Implementation
      • SOC2 Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • CloudSnoop
    • Strategic Security Solutions
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
      • GDPR Implementation
      • SOC2 Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • CloudSnoop
    • Strategic Security Solutions
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
WeSecureApp Logo (2)
Menu
  • Services
      • Application Security
          • SERVICES
          • application securityWeb Application Penetration Testing
          • Mobile Application Penetration TestMobile Application Pentesting
          • Web Services & API AssessmentWeb Services & API Assessment
          • application security - secure code reviewSecure Code Review
          • RESOURCES
          • phishing activity How contact forms can be exploited to conduct large scale phishing activity?
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • red team assessment versus penetration testingRed Team Assessment versus Penetration Testing
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Cloud Security Threats Cloud Security Threats
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Hire a Red Team7+ Major Reasons to Hire a Red Team to Harden Your App Sec
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • selecting-penetrationtesting How to Choose a Penetration Testing Vendor Wisely?
      • Compliance
          • SERVICES
          • global–strategyISO 27001 Auditing
          • global_finance_sterlingPCI DSS Prepardness
          • medical_1_ (1)HIPAA Auditing
          • gdprGDPR Implementation
          • hippa-controlSOC2 Assessment
          • RESOURCES
          • WFH model Essential compliance for a secure WFH model
  • Solutions
      • SOLUTIONS
      • secure–data (1) (1)Managed Security
      • devsecops-logoDevSecOps
      • cloudsnoopCloudSnoop
      • SSS-logoStrategic Security Solutions
      • RESOURCE
      • worst passwordsWorld’s Worst Passwords: Is it time to change yours?
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
Contact
Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
      • GDPR Implementation
      • SOC2 Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • CloudSnoop
    • Strategic Security Solutions
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
    • Compliance
      • ISO 27001 Auditing
      • PCI DSS Prepardness
      • HIPAA Auditing
      • GDPR Implementation
      • SOC2 Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • CloudSnoop
    • Strategic Security Solutions
  • Pricing New
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Application Security  ·  Web Services & API Security  ·  Write-up

Fabric.io API Permission Apocalypse – Privilege Escalations

By user  Published On July 10, 2017

What Is Fabric.io?

The Fabric platform is made of three modular kits that address some of the most common and pervasive challenges that all app developers face: stability, distribution, revenue and identity. It combines the services of Crashlytics, MoPub, Twitter and others to help you build more stable apps, generate revenue through the world’s largest mobile ad exchange and enable you to tap into Twitter’s sign-in systems and rich streams of real-time content for greater distribution and simpler identity. And Fabric was built with ease of use in mind.

In Short:

Using fabric SDK one could embed Crashlytics, Login with twitter into their Android/IOS application. Users can manage/track reports from their dashboard at https://fabric.io/dashboard.

The Apocalypse:

We have been testing Fabric.io since it’s release. And we came across a few XSS vulnerabilities , insecure Storage vulnerabilties(Android App) and many privilege escalations. Using this vulnerability one could takeover any organization in fabric.io.

Vulnerability Description:

While in dashboard we could see two type of users:

  • Admin – Can Delete Apps, Add members, Delete Members
  • Member- Cannot Delete Apps, Cannot Add Members, Cannot Delete Members

On logging into Fabric.io every user gets an access token,
this access token along with session cookies are used to authenticate every request. So we checked if the member’s access token can be used to perform admin requests.

We intercepted a delete request from the admin’s profile , Replaced the access token ( X-CRASHLYTICS-DEVELOPER-TOKEN: ) with member’s access token along with the member’s session cookie.

The request looks like:

DELETE /api/v2/organizations/5460d2394b793294df01104a/apps/5496f78544e4b4145000034c HTTP/1.1
Host: www.fabric.io
Connection: keep-alive
Accept: application/json, text/javascript, /; q=0.01
Origin: https://www.fabric.io
X-CSRF-Token: 06MzlRvMNizNQLk9VZWk5pb3LU6PUagNLPdGFQ4HdOg=
X-Requested-With: XMLHttpRequest
X-CRASHLYTICS-DEVELOPER-TOKEN: 0bb5ea45eb53fa71fa5758290be5a7d5bb867e77
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: https://www.fabric.io/settings/apps
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie:

Upon sending the above request we got a 200 status as response and the application was successfully deleted.
We have tried doing the same thing on few other requests :
Adding a user, give admin permission , remove users
Sadly all the requests were vulnerable!

Using this vulnerability a attacker with normal member privileges could have made himself an admin and could have taken over that organization.

Root Cause:

The access tokens issued to the users are bind with scope. A normal user with access token xyz and scope: member_only shouldn’t be able to perform admin actions.
Applications should properly check the scope of the access token before completing any of the requests sent by the user.

* Fabric.io is a twitter acquisition and twitter runs a bug bounty program on https://hackerone.com/twitter.
We have reported all the above mentioned vulnerabilities to twitter and they have been fixed accordingly.
As of now we are holding the 2nd place on twitter’s hall of fame, you can check us out at https://hackerone.com/twitter/thanks.


fabric.iovulnerabilitiesvulnerability

Leave A Reply Cancel reply

Your email address will not be published. Required fields are marked *

*

*

threat of ransomware
Increasing Threat Of Ransomware to Online Business
Previous Article
cross site scripting
XSS by Tossing Cookies
Next Article

Industries

BFSI

Healthcare

Government

Retail & eCommerce

Information Technology

Telecommunications

SERVICES

Application Security

Network Security

Cloud Security

Container Security

Threat Simulation

Compliance & Auditing

SOLUTIONS

DevSecOps

Managed Security

Cloud Snoop

Strategic Security Solutions

resources

Blog

Datasheets

Case studies

Podcasts

company

About

Partners

Careers

Testimonials

White papers

Contact

Privacy Policy

TRUST WE GAINED

trustpilot_review
GoodFirms Badge
clutch_review

© 2022 WeSecureApp. All rights reserved.

logo--facebook
logo--instagram
logo--linkedin
logo--twitter
Strobes-Logo

Leverage Strobes, a risk-centered vulnerability management platform to ingest vulnerabilities from scanners & teams, do predictive patching and automate security using workflows.

Learn More
strobes-dashboard

By failing to prepare, you are preparing to fail

Homepage: By failing to prepare, you are preparing to fail
Captcha validation failed. If you are not a robot then please try again.

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

Subscribe to Our Podcasts

Subscribe to Podcast
Enter the Captcha

Blog Write For Us

blog-write-us
Enter the Captcha

By failing to prepare, you are preparing to fail

Homepage: By failing to prepare, you are preparing to fail
Enter the Captcha

Get Started!

Get-started-WebServices-API
Enter the Captcha

Take a peek into sample report

CTA-Sample Report
Enter the Captcha

Get Started!

Get-started-VOIP
Enter the Captcha

Get Started!

Get-started-WirelessPentesting
Enter the Captcha

Get Started!

Get-started-RedTeam
Enter the Captcha

Get Started!

Get-started-RedTeamvsblueteam
Enter the Captcha

Get Started!

Get-started-social-engg
Enter the Captcha

Get Started!

Get-started-ISO
Enter the Captcha

Get Started!

Get-started-PCIDSS
Enter the Captcha

Get Started!

Get-started-HIPPA
Enter the Captcha

Get Started!

Get-started-GDPR
Enter the Captcha

Get Started!

Get-started-SOC2
Enter the Captcha

Get Started!

Get-started-managed-security-solutions
Enter the Captcha

Get Started!

Get-started-Strategic-Security-Solution
Enter the Captcha
navy_bubble.png
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok