Authorization vulnerability in Kamernet exposed 1.320.000 private conversations.
Due to multiple authorization vulnerabilities (which I found in the process of finding a room in Amsterdam) in Kamernet’s website, it was possible to retrieve at least 1.320.000 private conversations.
The “LoadConversationsWithMessages” endpoint in the MessagesApi didn’t verify if the conversation id provided by the user belonged to him. Allowing you to read every conversation
Assessing the damage
I was curious how many messages I could hypothetically access. I wrote this quick python scraper which downloads every 10.000nd conversation.
So based on the results retrieved from the above script and based on sample data I retrieved temporarily (still have the SHA1 digest of the responses) we can safely assume messages between 11740900 and 13060900 are valid.
Lets say you’re a blackhat, and you find this. What do you do? You scrape the hell out of the website until all your base r belong to us. Modifying my scripting changing the step size 10.000 -> 1 does exactly that.
The download speed for the messages where (in my case) 11.2 p/s (routed through tor) so that would mean it would take about 1.36408565 days (or a day an a half for normal people) to download all 1.320.000 messages.
When I do projects like this, I create a RAM disk where I store things like BURP sessions, Python data parsers to create the statistical information I provide in this disclosure. The contents of a RAM disk are lost when you power down the computer(assuming you don’t live in a freezer). All the obtained data is gone, with exception of some screen-shots and a tiny set of data as evidence(132 messages in this case), which are stored on an encrypted drive.
Questions I asked them:
How did you verify the data wasn’t obtained by anyone else?
The Kamernet representative has told me that they have analyzed the log files and have come to the conclusion that the vulnerable endpoint was only exploited by me.
Are you going to inform the users which had their private conversations exposed?
The Kamernet representative has told me they are thinking about it.
Are you going to inform the Dutch Data Protection Authority?
The Kamernet representative has told me that they have.
Founder @ BinaryIT | Nelson.Berg@binaryit.net (PGP)
Pentester @ Securify B.V. | Nelson.Berg@securify.nl (PGP)