Unprotected API could expose names, places, times of bookings made using app

Unprotected API

An open-source scheduling platform has an access control vulnerability. Unauthenticated attackers had easy access to personally identifiable information (PII) thanks to Easy!Appointments, according to a security researcher.

The serious weakness (CVE-2022-0482), which has since been patched, was caused by a lack of authentication in a backend API that was used to populate the user’s calendar.

Francesco Carlucci, the founder of OpenCIRT, a vulnerability reporting tool now in testing, uncovered the flaw. Carlucci found that ajax_get_calendar_events() passed just three parameters – startDate, endDate, and csrfToken – and that attempting to remove all cookies from his request returned a 403 response.

He subsequently determined that hostile hackers could obtain a CSRF token by simply accessing the public reservations form, after which they could query the unprotected API and download appointment data.

Carlucci has described the issue in a technical write-up with a CVSS score of 9.1. Scenarios of attack “There are a variety of attack scenarios,” Carlucci explained. “First and foremost, the attacker has access to a vast amount of personal data provided by the user throughout the booking process,” he told The Daily Swig. “This includes phone numbers, physical addresses, cities, and other juicy details that might be exploited for identity theft and ‘password recovery attacks’ on other websites.” The attacker then knows who the user is meeting and why, which can be quite personal depending on the booking’s intent.”

“Last but not least, the HTTP response includes the booking’s’reference’ (hash), which can be used by the attacker to cancel the booking on the user’s behalf (on a different endpoint: index.php/appointments/index/hash),” he wrote. An attacker might use this to loop over all of the bookings and wipe out the entire database.” Easy! Appointments has been downloaded over 100,000 times and is also available as a WordPress plugin.

The appointment management system is built with CodeIgniter, which Carlucci believes is riskier than other PHP frameworks like Laravel because developers must design their own authentication and other basic functions. Carlucci stated that there are “many thousand instances remaining unpatched on the web,” and that while no evidence of active exploitation has been seen so far, this might change “anytime soon.”

Updates and bug detection

On January 30, Carlucci reported a vulnerability to open source bug bounty site Huntr and Easy!Appointments’ lead developer Alex Tselegidis. Tselegidis fixed the problem in the March 8 release of Easy!Appointments 1.4.3. All prior versions of the software are affected. Tselegidis has made a patch utility script available that automates the updating process for users who are unable to do so manually. Carlucci applauded the developer for being “very responsive and cooperative,” as well as performing a “complete security evaluation” that resolved numerous other minor security vulnerabilities.

Carlucci, who received a “modest” bug prize for his discovery, has released a Nuclei template to aid security researchers in detecting the vulnerability, and has issued a warning to “a couple of big NGOs that were using the programme for booking Covid-19 vaccines.”

Source: https://portswigger.net/daily-swig/access-control-vulnerability-in-easy-appointments-platform-exposed-sensitive-personal-data?&web_view=true