Improper Access Control in Crabtyper API in brancobruyneel/crabtyper

Valid

Reported on

Jun 16th 2022

Description

The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets.

This is due to insufficient access control being implemented in the API.

Proof of Concept

Create a language:

$ curl -X POST -H "Content-Type: application/json" https://crabtyper-api.azurewebsites.net/api/languages -d "{\"name\":\"example\"}"

Delete a snippet:

$ curl -X DELETE https://crabtyper-api.azurewebsites.net/api/snippets/4a917fe1-ed65-4134-b8de-423023970ac9

These are just two examples, snippets can also be created in a similar way.

Impact

This vulnerability is capable of displaying arbitrary text data to all users and preventing the service from operating by deleting all snippets.

We are processing your report and will contact the brancobruyneel/crabtyper team within 24 hours. a year ago

William Henderson William

commented a year ago

Researcher

Update: looks like someone has already exploited this - needs to be fixed ASAP!

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the brancobruyneel/crabtyper team and are waiting to hear back a year ago

brancobruyneel validated this vulnerability a year ago

William Henderson has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

brancobruyneel marked this as fixed in 0.1.0 with commit 5022f4 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation