Cyber Defense eMagazine November Edition for 2021
Cyber Defense eMagazine November Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, International Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES See you at RSA Conference 2022 - Our 10th Year Anniversary - Our 10th Year @RSAC #RSACONFERENCE #USA - Thank you so much!!! - Team CDMG
Cyber Defense eMagazine November Edition for 2021 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, US Editor-in-Chief, Pieruligi Paganini, International Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
See you at RSA Conference 2022 - Our 10th Year Anniversary - Our 10th Year @RSAC #RSACONFERENCE #USA - Thank you so much!!! - Team CDMG
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
of coupons. BrewDog didn’t believe the vulnerability existed and didn’t acknowledge the report. The<br />
in<strong>for</strong>mation was made public and BrewDog is dealing with significant fallout.<br />
This year, I did some similar research on the well-known Lithium community <strong>for</strong>um plat<strong>for</strong>m, which is now<br />
owned by Khoros. Lithium is a multi-tenant SaaS architecture used by many organizations including<br />
Roku, DropBox and FitBit to host user <strong>for</strong>ums. If you are logged in to FitBit, then you are using Lithium,<br />
configured as a public community, to share results, discuss workout regimens, and so on.<br />
While logged into the FitBit Community I noticed a weird request being made by my browser:<br />
GET<br />
/xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+view_href+FROM+us<br />
ers+WHERE+id+%3D+%22REDACTED%22<br />
My first thought was that it was strange to find SQL queries in the request, so I wondered if I could change<br />
them. My second thought was, “what the heck is xmnuz23762?”<br />
I first tried changing the SELECT criteria and the WHERE in<strong>for</strong>mation, yielding:<br />
GET<br />
/xmnuz23762/api/2.0/search?q=SELECT+*+FROM+users<br />
This showed me all users. I found User 1, whose profile showed that they were the Lithium Admin. Now<br />
I knew what the FitBit community plat<strong>for</strong>m was based on.<br />
Recall that a vulnerability is simply an exposure to a possible attack. So, is this an exposure to an attack?<br />
I believe so and here’s why.<br />
Exploiting the Flaw<br />
I can change the query to get intended results. This means I can dump various parts of the database at<br />
will. Khoros disagrees, stating that what I had found is their API, called LiQL (Lithium Query Language)<br />
which uses a syntax similar to SQL. Occasionally, the similarity causes confusion with security experts<br />
concerned about SQL injection vulnerabilities. Okay, so it’s not identical to a SQL injection, but I can still<br />
change it at will and get various pieces of data.<br />
Let’s turn our attention to the other oddity I saw: What is xmnuz23762? This alphanumeric sequence is<br />
available on every request so it must be related to FitBit. Since this data element was available in each<br />
request, I figured it was a domain ID. Querying the DNS entries <strong>for</strong> Lithium showed that<br />
xmnuz23762.lithium.com will redirect you to community.fitbit.com. Pulling a different ID from my DNS<br />
entries I found aempf32337.lithium.com, which redirects me to community.roku.com.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>November</strong> <strong>2021</strong> <strong>Edition</strong> 116<br />
Copyright © <strong>2021</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.