Filepicker API key without domain restriction can be abused. Can be used by anyone on any website.

Disclosed by
cybxis
  • Engagement Statuspage
  • Disclosed date almost 3 years ago
  • Points 5
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Statuspage

Security misconfiguration of filepicker API key vulnerability in Statuspage

Summary by cybxis

Exposed and unsecured Filepicker API key can be used on any website.

Report details

  • Submitted

  • Target Location

    manage.statuspage.io

  • Target category

    Web App

  • VRT

    Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

  • Priority

    P4
  • Bug URL
    https://manage.statuspage.io/pages/frww6l2dpfc2/quick-setup/customize
  • Description

    On https://manage.statuspage.io/ whenever a user uploads a brand logo it used the 3rd party platform upload filepicker.io and you will get the request provided below on "Trace dump / HTTP request" section. It is URL encoded but if you decode it you will get the apikey value "AH8YrLApsTCitKuh29LiNz". I am pretty sure that the subscription of this apikey is not FREE for there is an s3/cloudfront integration and this kind of commercial does not fit a FREE plan for there is only 100 upload monthly limits, REFERENCE: https://www.filestack.com/pricing/

    Base on this question on Stackoverflow there is no issue for an exposed filepicker API key because user's can whitelist domains that is only authorized for the key usage. However this is not present on the manage.statuspage.io website.

    Proof of concept

    I created a jsfiddle with filestack platform and provided your API key. Here is the link https://jsfiddle.net/x76jvo3y/ as you can see there is your key provided. Now try to upload a file from any source such as from local machine, web search or from link.
    Response:
    stat1.png

    Means the upload went through without any restriction. This proves that the key has no restriction and can be used on any website such as jsfiddle. Here is an example of domain restricted key. This is mine: https://jsfiddle.net/x76jvo3y/1/

    Steps to reproduce

    1. Register and login at https://manage.statuspage.io/
    2. Upload brand logo
    3. Intercept the request until you encounter the request given below
    4. Decode the URL encoding and you will get this API key: AH8YrLApsTCitKuh29LiNz
    5. Go to this JSfiddle Link: https://jsfiddle.net/gh/get/library/pure/filestack/filestack-js/tree/master/examples/picker
    6. Provide the key on the api_key slot and RUN, then upload.

    Mitigation

    To set a domain restriction on the key: https://dev.filestack.com/apps/AH8YrLApsTCitKuh29LiNz/whitelisted-domains/ this is exactly the key that you need to add a domain whitelisting with your key I've already provided. You can set wildcards or any styles. This is to prevent any unauthorized use of the key.

    IMPACT

    • Anyone can freely use the API key on any website.
    • Since this is a paid service from filestack means every upload counts, if this is used on more unauthorized sites the the limit will be easier to be consumed.
    • Can cause unauthorized usage and will lead to unwanted financial charges.
  • HTTP request 
    OPTIONS /api/upload/?_cachebust=1591849687&js_session=%7B%22apikey%22:%22AH8YrLApsTCitKuh29LiNz%22,%22mimetypes%22:%5B%22image%2Fpng%22,%22image%2Fjpeg%22,%22image%2Fjpeg%22,%22image%2Fsvg%2Bxml%22,%22image%2Fgif%22,%22image%2Fvnd.microsoft.icon%22%5D,%22persist%22:false,%22version%22:%22v2%22,%22storeLocation%22:null,%22storePath%22:null,%22storeContainer%22:null,%22storeAccess%22:%22private%22,%22storeRegion%22:null,%22extensions%22:%5B%22.png%22,%22.jpg%22,%22.jpeg%22,%22.svg%22,%22.gif%22,%22.ico%22%5D,%22external%22:true%7D HTTP/1.1
Host: www.filepicker.io
Connection: close
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: access-control-allow-headers,access-control-allow-origin,x-requested-with
Origin: https://dialog.filepicker.io
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: https://dialog.filepicker.io/dialog/open/?key=AH8YrLApsTCitKuh29LiNz&id=1591849467479&referrer=manage.statuspage.io&iframe=true&version=v2&s=1,3,5,4,7&container=modal&language=en_us&plugin=js_lib&ext=.png,.jpg,.jpeg,.svg,.gif,.ico&co=crop
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Activity