David

Privacy

While probing an old Moment domain (momenthouse.com), I discovered the subdomain admin.momenthouse.com. Here, I initiated a process I’m calling ‘Unauthenticated Endpoint Reconnaissance.’ An interesting observation triggered this process: I could see a portion of the dashboard load before the system redirected me to a login screen. This piqued my curiosity and led me to dig deeper into the dashboard’s code to locate endpoints.

I identified an endpoint previously used to display reported users during my investigation. Interestingly, this endpoint didn’t require any authentication for access, which could pose a security risk. This endpoint, when accessed, returned detailed information about various Moment House events and the reported users linked to each event.

Upon further analysis, it was clear that the user information returned by this endpoint was quite extensive. It pulled and displayed all data from a user’s entry in the database. This data included the user’s ID, first and last name, email, a bcrypt password hash, creation and update timestamps, verification status, language, timezone, signup source, and even potential cryptocurrency wallet IDs.

Most alarmingly, the endpoint also returned the ‘resetPasswordToken,’ a JSON Web Token (JWT). If a password reset was requested, I could see the token. This is a significant security flaw, as it could allow unauthorized access to user accounts, especially if the user is an admin (indicated by "isSuper": true).

I successfully took over an account using this method. To be clear, this was a test account I had created and reported myself, but it demonstrates the potential for misuse.

Additionally, the endpoint revealed partial payment information. Despite payments being processed through Stripe, which only displayed the last four digits of a card, this exposure still raises potential privacy concerns.

Example of what was returned:

...
{
  "id": "",
  "firstName": "",
  "lastName": "",
  "slug": "",
  "email": "",
  "passwordHash": "",
  "createdAt": "",
  "updatedAt": "",
  "isSuper": false,
  "stripeAccountId": null,
  "phone": "",
  "resetPasswordToken": null,
  "isVerified": false,
  "paypal": null,
  "externalBillingId": "",
  "lang": "",
  "timezone": "",
  "image": null,
  "bio": null,
  "instagram": null,
  "access": null,
  "signupSource": "",
  "solWalletId": null,
  "ethWalletId": null,
  "walletAuthNonce": null,
  "avatar": {
    "wearables": {
      "top": "",
      "hair": "",
      "shoes": "",
      "bottom": "",
      "eyebrows": ""
    },
    "avatarAttributes": {
      "body": "",
      "eyes": "",
      "skinTone": "",
      "hairColor": "",
      "eyebrowColor": ""
    }
  },
  "locked": false,
  "verifiedCreator": true,
  "username": "",
  "expoPushToken": null,
  "avatarImage": "",
  "worldsAccess": true,
  "worldAccessAt": "",
  "hasCustomAvatar": true,
  "onboarding": {},
  "verificationCode": null,
  "globalBanned": false,
  "worldsOnboarding": false,
  "systemPreferences": {}
},
...
Unauthenticated Endpoint Reconnaissance
A process in cybersecurity where one explores and identifies API endpoints without the use of standard login or security checks. This involves bypassing typical authentication mechanisms and directly investigating the application's code to gather information about the API endpoints.

© David Stephenson

Creative Commons by-nc-nd 4.0 International License
Acknowledgements