-
Notifications
You must be signed in to change notification settings - Fork 124
Description
Describe the bug
Affected functionality: https://app.aixblock.io/marketplace/models
"Marketplace Modal" section of AIxBlock platform
Misconfigured endpoint: /api/user
Bug type: Information disclosure
Information disclosure:
A security misconfiguration on the "Marketplace Modal" section of AIxBlock platform allows for an unauthorized READ access to another customers personal data as the system makes default api call to 6 endpoints (pointing to some internal users) that are not required to use the AIx market place.
The security misconfiguration allows the affected functionality to make 6 API calls to an endpoints that discloses other users information, the CEO's account (ID 8553, username=14i2bc4xv2) and AIx Admin Test account information were also disclosed.
/api/user/1
/api/user/2
/api/user/6
/api/user/680
/api/user/717
/api/user/8335
To Reproduce
Steps to reproduce the behavior:
- Go to "https://app.aixblock.io/marketplace/" --> "Marketplace Modal" section of AIxBlock platform
- Turn on intercept
- Click on "Models"
- Watch how AIxBlock makes default calls (with zero interaction from users) to about 6 endpoints (as seen above) and also disclose their information.
disclosed data: {"id":XXXX,"first_name":"XXXX","last_name":"XXXX","avatar":XXXX,"username":"XXXX"}.
Expected behavior
/api/user/ID needs to be disabled / deprecated as it is not required in for the "Marketplace Modal" section of AIxBlock platform to be used.
Screenshots
Attached video
Desktop (please complete the following information):
- OS: Ubuntu
- Browser: Firefox
Additional context
Add any other context about the problem here.
The unique 6 endpoints were called upon by default and it is constant across sessions (i.e once you click on AIxBlock marketplace models, AIx will make those 6 default calls to the AIx Server without your interactions).