Authorization vulnerability in Kamernet exposed 1.320.000 private conversations.

Timeline

;

Introduction

Due to multiple authorization vulnerabilities (which I found in the process of finding a room in Amsterdam) in Kamernet’s website, it was possible to retrieve at least 1.320.000 private conversations.

Data breach

The “LoadConversationsWithMessages” endpoint in the MessagesApi didn’t verify if the conversation id provided by the user belonged to him. Allowing you to read every conversation

exploit
API call retrieving message I shouldn’t have access to. I blacked out some sensitive information, but kept some in to give you an idea. The content of the messages tend to be very personal in nature because the person interested in the room wants to garner trust from the person renting the room out

Assessing the damage

I was curious how many messages I could hypothetically access. I wrote this quick python scraper which downloads every 10.000nd conversation.

Python scraper
Python code to retrieve each 10.000nd message. Yes the code quality is not superb, I was only planning to use it once.

So based on the results retrieved from the above script and based on sample data I retrieved temporarily (still have the SHA1 digest of the responses) we can safely assume messages between 11740900 and 13060900 are valid.

Attack scenario

Lets say you’re a blackhat, and you find this. What do you do? You scrape the hell out of the website until all your base r belong to us. Modifying my scripting changing the step size 10.000 -> 1 does exactly that.

The download speed for the messages where (in my case) 11.2 p/s (routed through tor) so that would mean it would take about 1.36408565 days (or a day an a half for normal people) to download all 1.320.000 messages.

Q&A

What did you do with the data?
When I do projects like this, I create a RAM disk where I store things like BURP sessions, Python data parsers to create the statistical information I provide in this disclosure. The contents of a RAM disk are lost when you power down the computer(assuming you don’t live in a freezer). All the obtained data is gone, with exception of some screen-shots and a tiny set of data as evidence(132 messages in this case), which are stored on an encrypted drive.

Questions I asked them:

How did you verify the data wasn’t obtained by anyone else?

The Kamernet representative has told me that they have analyzed the log files and have come to the conclusion that the vulnerable endpoint was only exploited by me.

Are you going to inform the users which had their private conversations exposed?

The Kamernet representative has told me they are thinking about it.

Are you going to inform the Dutch Data Protection Authority?

The Kamernet representative has told me that they have.

 

Author

Nelson Berg (Information Security Advisor @ Securify B.V)

Contact me

Follow me