| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Mar 2023 19:16:11 +0200
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Full Disclosure - Fastly
Correspondence from Fastly declined to comment regarding new discovered
vulnerabilities within their website.
Poor practices regarding password changes.
1. Reset user password
2. Access link sent
3. Temporary password sent plaintext
// HTTP POST request
POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]
[...]
{"g-recaptcha-response":"03AFY_a8UY[...]"}
[...]
// HTTP response
HTTP/2 200 OK
Cache-Control: no-store
[...]
// HTTP GET request
GET
/auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d...
HTTP/2
Host: manage.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]
// HTTP response
HTTP/2 200 OK
Cache-Control: public, max-age=60, stale-if-error=1209600,
stale-while-revalidate=600
[...]
Weak Pwd requirements
1. Login to user account
2. Click Account -> Personal Profile
3. Select Change Password -> Current Password -> FastLy%2540!1M
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P
5. Select Sign Out Option
6. Login with new password
// HTTP POST request
POST /oauth/password HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%
40gmail.com
[...]
// HTTP response
HTTP/2 401 Unauthorized
Status: 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
[...]
[...]
{"msg":"Token 3kzBPKXbsbtZBl9..."}
[...]
// HTTP POST request
POST /oauth/access_token HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%
40gmail.com
[...]
// HTTP response
HTTP/2 200 OK
Status: 200 OK
[...]
[...]
{"id":"7IU53vPHZ...",
"name":"manage.fastly.com browser session",
"user_id":"3lWtx49FrV...",
"customer_id":"535znFHg...",
[...]
"token_type":"bearer",
"scope":"global",
"services":[],
"access_token":"qwdBQF43O..."}
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists