This is a more in-depth view of the vulnerability report T1, which seems like it wasn't properly solved, as the fix can be fairly easily bypassed.
Summary
Although there is a security check in place for some endpoints of the accesuniversitat.gencat.cat API, slightly modifying the endpoint URLs by adding a slash bypasses the security check.
Reproduction steps
- Open Chrome.
- Access https://accesuniversitat.gencat.cat/accesuniversitat/login.
- Open the Developer Tools and go to the Network tab.
- Sign in with a student account by entering the DNI and password of the account, and clicking Accedir.
- In the Developer Tools, open the last request made to the https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/login/token API endpoint by clicking in its entry, and go to the Response tab. There, copy or take note of the token provided by the server.
As an example, the server will return something like {"token":"abcdef","hostName":"lt20stx2.cpd2.intranet.gencat.cat","activeSessions":1}, where abcdef is the token we're looking for.
- Open a terminal (make sure to have Curl installed) and execute the following commands (where {token} is the token which we retrieved in step 5):
- curl --header "Authentication: Bearer {token}" https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants/1218208/
- curl --header "Authentication: Bearer {token}" https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants/?page={page}, where {page} is the number of the page that you want to load (for instance, 1).
- The first command will retrieve information about the user specified in the request (in this case, 1218208) even if it is not the user who signed in. By changing the user id passed, the API returns information about another user. The second command will retrieve information about a subset of users (in the same manner as the first command but retrieving multiple users at once) in a paginated manner.
Attack vector
This vulnerability can be used to obtain programatically the personal and sensitive information of thousands of Catalan people who are registered in this gubernamental website. This includes their birthdays, home addresses, email addresses, DNIs, and phone numbers. Therefore, I think this vulnerability should be fixed as soon as possible.
Suggested resolution
In order to fix this vulnerability issue, the security check which already prevents requests like these without the last slash (for instance https://accesuniversitat.gencat.cat/accesuniversitat/accesuniversitat-rs/AppJava/api/v1/estudiants) should also be applied to requests which have a slash in the end.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.