Epic Games -- IDOR worth 10,000$ on Epic Games Service Bandcamp

-

 Company Information : 


Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, Maryland.



Title : 

Comment from any user account on(including owner) on All the assets(Artist feed,Live streaming etc) on Bandcamp [IDOR]



Bug Category : 
Insecure direct object reference(IDOR ) : 
Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.



Target  Information : 

http://bandcamp.com



Technical Details of the Bug : 

Summary: Bandcamp is a application for Artists where individual artists can sell albums/tracks/merch , Host live streaming events and listening party , Fan feeds etc. In all those places you have comment section. Ex : When Artist organise a Live stream , there is a comment section where Owner(Artist) , moderators and fans can comment and have a chat. In my testing i found that it's possible to comment from any user account including (owner/moderators) in any of the assets on bandcamp. I am reporting all the assets in one report as the HTTP Request and vulnerable parameter is same for all of them.

Impacted components :

1.Live stream comment section 2.Listening party comment section 3.Artist Subscriber Feed

Vulnerable HTTP Request :

POST /api/community/1/add_comment HTTP/2 2Host: vijayk007.bandcamp.com 3Cookie: cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:109.0) Gecko/20100101 Firefox/115.0 5Accept: application/json 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8Referer: https://vijayk007.bandcamp.com/live/vk007-public-album-listening-party-3 9Content-Type: application/json 10Content-Length: 251 11Origin: https://vijayk007.bandcamp.com 12Sec-Fetch-Dest: empty 13Sec-Fetch-Mode: cors 14Sec-Fetch-Site: same-origin 15Te: trailers 16 17{"user_id":3545446276,"band_id":2734262326,"token":"1:0:le:10446:0:0","comment":"Hey man ","bc_commenting":true,"socket_id":"11669.8918086","commenting_band_id":1203459936,"crumb":"|api/community/1/add_comment|1691664078|TWDBHcKY+W7dSyLrpKv0iH560Cs="}


Vulnerable Parameter :

commenting_band_id

Description :

commenting_band_id is a band_ID parameter which is assigned to all the artist users. This ID is public and available in source of the artist profile. Also the ID is numeric and incremental. When you add a comment "commenting_band_id" parameter is null. But if you add any band_id in the comment , the comment will be posted behalf of other user. You can add any band_id of any user like Organiser of the Live stream and it will post it as owner .
Platform(s) Affected:  https://subdomain.bandcamp.com

Steps To Reproduce:

You will need 2 accounts to reproduce the issue. I showing the steps through Listening party as it's easy to reproduce. 1.Login from victim artist account and album/tracks. 2.Now create a new listening party .(Listening parties can be scheduled at least one hour before, so you need to wait once you create one) 3.Once your listening party is live .you will see comment section. 4.Listening part link would look like below.
https://vijayk007.bandcamp.com/live/vk007-public-album-listening-party-5

5.Now login from attacker account and open the victim listening party link. 6.Now attacker will be able to comment here. (Open the source code and search for band_id . it is a victim band_id ) .
7.Create a comment and intercept the request. 8.The request would look something like above mentioned request. 9.Change the "commenting_band_id" value from null to any other artist band_id or the ID captured in 6th step. 10.Send the request to server and you will notice that comment will be from the Listening party artist owner/admin. 11.You can comment from nay artist account with this attack. 12.You can reproduce it for Live stream and Artist subscribe feed too.

Impacted components :

1.Live stream comment section 2.Listening party comment section 3.Artist Subscriber Feed
It impacts the integrity of user data directly. You can't trustworthiness of the comments anywhere in the bandcamp website . Since many of these sections are public and free , attack can be done anywhere. There is no trust on the comments if it's legit even if it's coming from event owners or artists. 



Timeline : 



August 13th 2023: Report send to Apple product Security Team through Email.

August 21th 2023: Report Accepted and Triaged.

August 31th 2023: Complete issue was resolved and confirmed.

August 31th 2023: 10000$ Bounty Rewarded



Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more