From an Innocent api-key to PII data

How we got there

It was on a thursday of february 2023, i had just gotten of driving and i was feeling tired, at the same time i was feeling meh since i had not done any good hacking that week, just doing random stuffs. so i took out my laptop sat on the coach and hopped on intigriti and started looking around on the recently update category as i sometimes do. I found this program that had updated the scope, lets call it xboy you know the drill my returning readers and i decided to tap into it lightly.

i enumerated subdomains, got several hits, i decided since they weren't many subdomains i should just visit them one by one and check if maybe i could find anything. i visted one https://customers.xboy.me/ that seemed prety normal, login and signup and a web shop but nothing really interesting to poke around at. I did my usual poking around with the view-source: so i could check out the js files for any hardcorded creds, tokens or api-keys. i found some config data inside a script tag;

<script> REDACTED... apiurl":"https://customers.xboy.me/v2","env":"prod","YOTPO-MERCHANT-ID":"XXXXX","YOTPO-API-KEY":"API_KEY_HERE","YOTPO-GUID":"GUID_HERE"  ...REDACTED </script>

at first i didn't think much of these keys as they seemed not interesting at all, but i decided to check online for any exploitation on api keys from yotpo but my search returned nothing.

I was about to give up when i remembered that most companies have dev documentations. so i googled yotpo developer documentation, after a few readings here and there i found this documentation page Loyalty Docs. Turns out the api-keys i found earlier were for the loyalty api, and the juicy part was that the same api keys were the auth keys. Bingo. after some more digging i found that i could query customer data associated with the api keys Get Customers Docs, super bingo.

TIP of the day :: Just because it hasn't been exploited and documented publicly, doesn't mean it isn't vulnerable... Everything is vulnerable unless proven otherwise.

So after reading the docs i crafted the following burp request to the api with the exposed api keys, and boom 'PII'.

I stopped testing here.

GET /api/v2/customers/recent?per_page=100 HTTP/2
Host: loyalty.yotpo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
X-Guid: GUID_HERE
X-Api-Key: API_KEY_HERE

Reproduction Steps

  1. Visit https://customers.xboy.me/
  2. Perform a view-source, either by rightclicking or ctrl + u (cmd + u [mac users])
  3. Scroll down to the bottom to find
<script> REDACTED... apiurl":"https://customers.xboy.me/v2","env":"prod","YOTPO-MERCHANT-ID":"XXXXX","YOTPO-API-KEY":"API_KEY_HERE","YOTPO-GUID":"GUID_HERE"  ...REDACTED </script>
  1. VIsit
https://loyalty.yotpo.com/api/v2/customers/recent?per_page=100

and intercept with burp 5. Send request from 4 to repeater and send it to observe the 401 error Alter the request to be;

GET /api/v2/customers/recent?per_page=100 HTTP/2
Host: loyalty.yotpo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
X-Guid: GUID_HERE
X-Api-Key: API_KEY_HERE
  1. send request

Quick Curl Repro Command

curl -i -s -k -X $'GET' \
-H $'Host: loyalty.yotpo.com' -H $'Accept: application/json' -H $'X-Guid: GUID_HERE' -H $'X-Api-Key: API_KEY_HERE' \
$'https://loyalty.yotpo.com/api/v2/customers/recent?per_page=100'

So i wrote a report and sent it to the program at intigriti. The report was triaged as a critical.

After waiting for a few days i recieved a €€€ bonus.

basic

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old

🔥🔥: 0

Previous Post

MyFirstRCE

Next Post

JWT2AWS