• Services
    • [Tabs]
      • Application Security
        • [Column]
          • SERVICES
          • Web Application Penetration Testing
          • Mobile Application Pentesting
          • Web Services & API Assessment
          • Secure Code Review
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Network Security
        • [Column]
          • SERVICES
          • Network Vulnerability Assessment and Penetration Testing
          • VoIP Vulnerability Assessment & Penetration Testing
          • Wireless Penetration Testing
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Cloud Security
        • [Column]
          • SERVICES
          • Cloud Auditing & Hardening for AWS
          • Cloud Auditing & Hardening for Azure
          • Cloud Auditing & Hardening for GCP
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Threat Simulation
        • [Column]
          • SERVICES
          • Red Team Assessment
          • Red Team VS Blue Team
          • Social Engineering Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
      • Container Security
        • [Column]
          • SERVICES
          • Docker CIS Benchmark Hardening
          • Container Vulnerability Assessment
        • [Column]
          • RESOURCES
          • [Dynamic Posts]
  • Solutions
    • [Column]
      • SOLUTIONS
      • Managed Security
      • DevSecOps
      • Strategic Security Solutions
    • [Column]
      • RESOURCE
      • [Dynamic Posts]
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • [Tabs]
      • About
        • [Column]
          • Journey Timeline
          • timeline-image
        • [Column]
          • Mission,Vision, Values
          • mission-vision-image
      • Media
        • [Column]
          • Media title
        • [Column]
          • Media Image
      • Partners
        • [Column]
          • Partners title
        • [Column]
          • Partners Image
      • Careers
        • [Column]
          • Careers title
        • [Column]
          • Careers Image
  • Company
    • About us
    • Partners
    • Careers
WeSecureApp Logo (2)
Menu
  • Services
      • Application Security
          • SERVICES
          • application securityWeb Application Penetration Testing
          • Mobile Application Penetration TestMobile Application Pentesting
          • Web Services & API AssessmentWeb Services & API Assessment
          • application security - secure code reviewSecure Code Review
          • RESOURCES
          • cybersecurity for small businessesWhy is Cybersecurity Essential for Small Businesses?
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • Web-1920-–-1-1 What is Pentesting?
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Cloud Security Threats Cloud Security Threats
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Hire a Red Team7+ Major Reasons to Hire a Red Team to Harden Your App Sec
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • selecting-penetrationtesting How to Choose a Penetration Testing Vendor Wisely?
  • Solutions
      • SOLUTIONS
      • secure–data (1) (1)Managed Security
      • devsecops-logoDevSecOps
      • SSS-logoStrategic Security Solutions
      • RESOURCE
      • worst passwordsWorld’s Worst Passwords: Is it time to change yours?
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
Contact

Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • Strategic Security Solutions
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • Strategic Security Solutions
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
WeSecureApp Logo (2)
Menu
  • Services
      • Application Security
          • SERVICES
          • application securityWeb Application Penetration Testing
          • Mobile Application Penetration TestMobile Application Pentesting
          • Web Services & API AssessmentWeb Services & API Assessment
          • application security - secure code reviewSecure Code Review
          • RESOURCES
          • cybersecurity for small businessesWhy is Cybersecurity Essential for Small Businesses?
      • Network Security
          • SERVICES
          • network-1Network Vulnerability Assessment and Penetration Testing
          • telephone (1)VoIP Vulnerability Assessment & Penetration Testing
          • wireless_modem (1)Wireless Penetration Testing
          • RESOURCES
          • Web-1920-–-1-1 What is Pentesting?
      • Cloud Security
          • SERVICES
          • AWS-2Cloud Auditing & Hardening for AWS
          • Union-5Cloud Auditing & Hardening for Azure
          • AwsCloud Auditing & Hardening for GCP
          • RESOURCES
          • Cloud Security Threats Cloud Security Threats
      • Threat Simulation
          • SERVICES
          • global-securityRed Team Assessment
          • firewall-1Red Team VS Blue Team
          • insights-1Social Engineering Assessment
          • RESOURCES
          • Hire a Red Team7+ Major Reasons to Hire a Red Team to Harden Your App Sec
      • Container Security
          • SERVICES
          • dockerDocker CIS Benchmark Hardening
          • constructContainer Vulnerability Assessment
          • RESOURCES
          • selecting-penetrationtesting How to Choose a Penetration Testing Vendor Wisely?
  • Solutions
      • SOLUTIONS
      • secure–data (1) (1)Managed Security
      • devsecops-logoDevSecOps
      • SSS-logoStrategic Security Solutions
      • RESOURCE
      • worst passwordsWorld’s Worst Passwords: Is it time to change yours?
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case Studies
    • Whitepapers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
Contact
Schedule a Meeting
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • Strategic Security Solutions
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Menu
  • Services
    • Application Security
      • Web Application Penetration Testing
      • Mobile Application Pentesting
      • Web Services & API Assessment
      • Secure Code Review
    • Network Security
      • Network Vulnerability Assessment and Penetration Testing
      • VoIP Vulnerability Assessment & Penetration Testing
      • Wireless Penetration Testing
    • Cloud Security
      • Cloud Auditing & Hardening for AWS
      • Cloud Auditing & Hardening for Azure
      • Cloud Auditing & Hardening for GCP
    • Threat Simulation
      • Red Team Assessment
      • Red Vs Blue Team
      • Social Engineering
    • Container Security
      • Docker CIS Benchmark Hardening
      • Container Vulnerability Assessment
  • Solutions
    • Managed Security
    • Devsecops
    • Strategic Security Solutions
  • CERT-InNew
  • Resources
    • Blog
    • Datasheets
    • Case studies
    • White Papers
    • Podcasts
  • Company
    • About us
    • Partners
    • Careers
  • Contact
Application Security  ·  Web Services & API Security  ·  Write-up

Fabric.io API Permission Apocalypse – Privilege Escalations

By user  Published On July 10, 2017

What Is Fabric.io?

The Fabric platform is made of three modular kits that address some of the most common and pervasive challenges that all app developers face: stability, distribution, revenue and identity. It combines the services of Crashlytics, MoPub, Twitter and others to help you build more stable apps, generate revenue through the world’s largest mobile ad exchange and enable you to tap into Twitter’s sign-in systems and rich streams of real-time content for greater distribution and simpler identity. And Fabric was built with ease of use in mind.

In Short:

Using fabric SDK one could embed Crashlytics, Login with twitter into their Android/IOS application. Users can manage/track reports from their dashboard at https://fabric.io/dashboard.

The Apocalypse:

We have been testing Fabric.io since it’s release. And we came across a few XSS vulnerabilities , insecure Storage vulnerabilties(Android App) and many privilege escalations. Using this vulnerability one could takeover any organization in fabric.io.

Vulnerability Description:

While in dashboard we could see two type of users:

  • Admin – Can Delete Apps, Add members, Delete Members
  • Member- Cannot Delete Apps, Cannot Add Members, Cannot Delete Members

On logging into Fabric.io every user gets an access token, this access token along with session cookies are used to authenticate every request. So we checked if the member’s access token can be used to perform admin requests.

We intercepted a delete request from the admin’s profile , Replaced the access token ( X-CRASHLYTICS-DEVELOPER-TOKEN: ) with member’s access token along with the member’s session cookie.

The request looks like:

DELETE /api/v2/organizations/5460d2394b793294df01104a/apps/5496f78544e4b4145000034c HTTP/1.1
Host: www.fabric.io
Connection: keep-alive
Accept: application/json, text/javascript, /; q=0.01
Origin: https://www.fabric.io
X-CSRF-Token: 06MzlRvMNizNQLk9VZWk5pb3LU6PUagNLPdGFQ4HdOg=
X-Requested-With: XMLHttpRequest
X-CRASHLYTICS-DEVELOPER-TOKEN: 0bb5ea45eb53fa71fa5758290be5a7d5bb867e77
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: https://www.fabric.io/settings/apps
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie:

Upon sending the above request we got a 200 status as response and the application was successfully deleted.
We have tried doing the same thing on few other requests :
Adding a user, give admin permission , remove users
Sadly all the requests were vulnerable!

Using this vulnerability a attacker with normal member privileges could have made himself an admin and could have taken over that organization.

Root Cause:

The access tokens issued to the users are bind with scope. A normal user with access token xyz and scope: member_only shouldn’t be able to perform admin actions.
Applications should properly check the scope of the access token before completing any of the requests sent by the user.

* Fabric.io is a twitter acquisition and twitter runs a bug bounty program on https://hackerone.com/twitter.
We have reported all the above mentioned vulnerabilities to twitter and they have been fixed accordingly.
As of now we are holding the 2nd place on twitter’s hall of fame, you can check us out at https://hackerone.com/twitter/thanks.


fabric.iovulnerabilitiesvulnerability

Leave A Reply Cancel reply

Your email address will not be published. Required fields are marked *

*

*

cross site scripting
XSS by Tossing Cookies
Next Article

Industries

BFSI

Healthcare

Government

Retail & eCommerce

Information Technology

Telecommunications

SERVICES

Application Security

Network Security

Cloud Security

Container Security

Threat Simulation

Compliance & Auditing

SOLUTIONS

DevSecOps

Managed Security

Cloud Snoop

Strategic Security Solutions

resources

Blog

Datasheets

Case studies

Podcasts

company

About

Partners

Careers

CERT-InNew

White papers

Contact

Privacy Policy

TRUST WE GAINED

trustpilot_review
GoodFirms Badge
clutch_review

© 2022 WeSecureApp. All rights reserved.

logo--facebook logo--instagram logo--linkedin logo--twitter

Take a peek into sample report

By failing to prepare, you are preparing to fail

Homepage: By failing to prepare, you are preparing to fail
Enter the Captcha

Take a peek into sample report

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

By failing to prepare, you are preparing to fail

Case Study Form
Enter the Captcha

Take a peek into sample report

Case Study Form
Enter the Captcha

Get Started!

Case Study Form
Enter the Captcha

Subscribe to Our Podcasts

Blog Write For Us

By failing to prepare, you are preparing to fail

Get Started!

Get Started!

Get-started-WebServices-API
Enter the Captcha

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

Get Started!

navy_bubble.png
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok