Skip to content

Information disclosure #203

@0xygyn-X

Description

@0xygyn-X

Describe the bug

Affected functionality: https://app.aixblock.io/marketplace/models

"Marketplace Modal" section of AIxBlock platform

Misconfigured endpoint: /api/user

Bug type: Information disclosure

Information disclosure:
A security misconfiguration on the "Marketplace Modal" section of AIxBlock platform allows for an unauthorized READ access to another customers personal data as the system makes default api call to 6 endpoints (pointing to some internal users) that are not required to use the AIx market place.

The security misconfiguration allows the affected functionality to make 6 API calls to an endpoints that discloses other users information, the CEO's account (ID 8553, username=14i2bc4xv2) and AIx Admin Test account information were also disclosed.

/api/user/1
/api/user/2
/api/user/6
/api/user/680
/api/user/717
/api/user/8335

To Reproduce
Steps to reproduce the behavior:

  1. Go to "https://app.aixblock.io/marketplace/" --> "Marketplace Modal" section of AIxBlock platform
  2. Turn on intercept
  3. Click on "Models"
  4. Watch how AIxBlock makes default calls (with zero interaction from users) to about 6 endpoints (as seen above) and also disclose their information.

disclosed data: {"id":XXXX,"first_name":"XXXX","last_name":"XXXX","avatar":XXXX,"username":"XXXX"}.

Expected behavior
/api/user/ID needs to be disabled / deprecated as it is not required in for the "Marketplace Modal" section of AIxBlock platform to be used.

Screenshots
Attached video

Desktop (please complete the following information):

  • OS: Ubuntu
  • Browser: Firefox

Additional context
Add any other context about the problem here.
The unique 6 endpoints were called upon by default and it is constant across sessions (i.e once you click on AIxBlock marketplace models, AIx will make those 6 default calls to the AIx Server without your interactions).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions