Improper Access Control in openwhyd/openwhyd

Valid

Reported on

May 24th 2021


✍️ Description

Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit following link to verify anyone can access the api key:

https://www.googleapis.com/youtube/v3/search?part=snippet&q=YouTube+Data+API&type=video&key=AIzaSyCAZvC5tsGWWA2I2cKKsbfaqjwtXfr4bmg

Attacker can abuse the key to quota exceed and cause the billing if enabled. However with the proper restrictions, it should return a Forbidden error.

💥 Impact

Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.

Adrien Joly
a year ago

Maintainer


Hi Daemon, thank you for reporting this vulnerability! I agree that we could prevent the abuse of YouTube API quota associated with this key if we restricted its allowed domains. That said, we have not enabled billing on that account, so I wouldn't qualify that vulnerability as a "high severity". Based on this explanation, would you agree to decrease the severity of this issue?

D43M0N
a year ago

Researcher


Hello @Adrien Joly , thanks for confirming the issue. I reported as 'high severity' considering billing as the context. However, abuse of the key can exceed daily quota resulting improper functionality of the application. And neither the maintainer nor the reporter has the option to redo the severity as of now. I reported the issue with the support team and do you consider this as a medium severity?

Adrien Joly
a year ago

Maintainer


Thank you for the clarification. Medium severity seems fair!

D43M0N
a year ago

Researcher


Hello @Adrien Joly, reconsidering the severity, qualify and patch the issue. Thanks.

Adrien Joly
a year ago

Maintainer


...and I just fixed it from Google API Console! 🎉

Can you confirm that the domain restriction is now active on your end?

Adrien Joly
a year ago

Maintainer


I'd love to send the bounty over to you, but it seems that I need to select a commit from our github repo in order to do that... (if I understand this website well)

D43M0N
a year ago

Researcher


Yup the restriction is now active and the issue can be closed as patched.

D43M0N
a year ago

Researcher


Well @Adrien Joly, you don't need to send the bounty. Huntr.dev provides monetary value both to the Reporter ,once the issue is validated, and to a Fixer once it is patched. You may select yourself as a Fixer since you patched the issue. Thank you! 🙂

to join this conversation