1748142 - Unauthorized Access to api endpoint | IDOR

Status: RESOLVED INVALID

(Websites :: Hubs, task)

Description

[Pankaj Kumar Thakur]

hi team,

here authorization is missing at /api endpoint which is leaking all project id and other stuff without authorization

Steps to generate:

visit

https://hubs.mozilla.com/api/v1/media/search?source=scene_listings&filter=featured-remixable&q=a

here author name , project id , author, assets etc

if we search for q=b , it will expose all details related to b.

THIS CAN BE ALSO IDOR, BECAUSE MANIPULATING Q PARAMTER IS REFLECTING OUT ALL DATA WITHOUT AUTHENTICATION

Comment 1

[Pankaj Kumar Thakur]

while exploring

https://hubs.mozilla.com/api/v1/projects

got 403 status . need authentication

for https://hubs.mozilla.com/api/v1/media/search?source=scene_listings&filter=featured-remixable&q=a

there is no authentication and can search all metadata through q parameter

Thank You

Comment 2

[Frida K [:frida]]

Hello Pankaj,

Thank you for your report.

This API might be publicly accessible to list out available scenes for users to use and the q parameter is used to do text search on the list of scenes.

Hello Brian, can you please confirm whether this API is supposed to be public or not?

Thanks,
Frida

Comment 3

[Brian Peiris]

Thanks Frida. Your conclusion was correct. This API is intentionally available to the public. It only lists information that we allow explicitly -- namely Hubs scenes that are manually approved by us for public listing. The project_id field is also intentionally public because it enables our scene "remixing" feature.
Many of Hubs' capabilities are available to users without authentication. This is part of the product by design.

Comment 4

[Frida K [:frida]]

Thanks Brian.

Hello Pankaj, based on the feedback from Brian, we will close this issue. Thanks again for your report and interest in our program.