Skip to content

Instantly share code, notes, and snippets.

@p4lsec
Last active Sep 8, 2021
Embed
What would you like to do?

Summary

An insecure, direct object reference vulnerability in hunting/fishing license retrieval function of the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier allows a remote authenticated attacker to retrieve other people's personal information and images of their hunting/fishing licenses.

Additionally, an insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.

Application

Software

  • 'Fish|Hunt FL' iOS application, used to manage Florida hunting and fishing licenses.

Versions

  • 3.8.0 and earlier

Vulnerabilities

  • An authenticated user could access other licensee holder PII via an Insecure, Direct Object Reference Vulnerability (CWE-639).
  • The Authorization token generated upon login did not expire in a timely manner (CWE-613).

Background

I was having issues with the iOS application 'Fish|Hunt FL'app when trying to retrieve my fishing license. I captured the traffic submitted by the application in an attempt to see if I could find any information about what was happening.

I noticed there is an API endpoint located at gooutdoorsflorida.com/mobile/v2/getcustomerlicense, which the application uses to retrieve license information.

API

When retrieving license info, the application sends the following example POST request to the endpoint:

  POST /mobile/v2/getcustomerlicense HTTP/1.1
  Host: rlisapi.gooutdoorsflorida.com
  Cookie: {cookie}
  Accept: application/json
  Content-Type: application/json; charset=utf-8
  Accept-Encoding: gzip, deflate
  Content-Length: 30
  User-Agent: Fish%7CHunt%20FL/121 CFNetwork/1237 Darwin/20.4.0
  Accept-Language: en-us
  Authorization: {28 character token}
  Connection: close

  {
    "customerId": {10 digit ID number}
  }

In response, I get the following:

  HTTP/1.1 200 OK
  Cache-Control: no-cache
  Pragma: no-cache
  Content-Type: application/json; charset=utf-8
  Expires: -1
  Server: Microsoft-IIS/8.5
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Date: Thu, 20 May 2021 01:08:11 GMT
  Connection: close
  Content-Length: 51691

  {
      "customerId":{10 digit ID number},
      "name":"{name}",
      "address":"{address}",
      "licenses":
      [{hunting and fishing license info, harvest reports}],
      "licenseImageData":"{jpeg image of license}"
  }

The above "licenseImageData" is a base64 encoded JPEG of the full hunting/fishing license, as well as any applicable harvest records, which includes name, DOB, and home address.

Vulnerability

In an attempt to troubleshoot my issues, I eventually noticed that if I provided a different "customerId" field in the initial POST request, I got someone else's name (and presumably DOB, address, license info, etc) back in return. This information disclosure vulnerability is referred to as an Insecure, Direct Object Reference. At this point, I ceased actions and attempted to locate a responsible disclosure contact.

Additionally, even 24+ hours after that inital POST request was made, I could reuse the same Authorization token, meaning the token never exipred. This vulnerability is known as Insufficient Session Expiration.

I located a contact who works for the State of Florida, and responsibly disclosed the vulnerability. In response, I recieved the below confirmation email:

Jace,

I can confirm we received the responsible disclosure. We also verified the Authorization header was usable at anytime to obtain information for a specified customerId. We shared your responsible disclosure and our verification with FWC. They confirmed receipt of the disclosure and are looking into the issue. Please let me know if you have any questions. 

Sincerely,

[REDACTED] | Information Security
Office of Information Technology
[REDACTED] (mobile)
Florida Department of Management Services

Impact

An attacker could have abused this API endpoint and aggregate all records in this database, which presumably contains all licensee holders. Aside from the PII disclosure implications, attackers could also assume that most hunting licensee holders own firearms, and could build a high-confidence list of addresses containing firearms.

Timeline

  • May 18 - Vulnerabilities discovered
  • May 18 - Initial disclouse of "a vulnerability in a system realated to gooutdoorsfl.com was made to a Contact Us form
  • May 19 - Contact made with Cybersecurity SME
  • May 20 - Responsible disclosure submitted via secure channel
  • May 21 - SME confirms reciept and validity of vulnerabilities
  • June 1 - Version 3.9.0 released on iOS App Store ("Updates to License Sync Functionality"). Cursory inspection appears to have remediated the vulernabilities.
  • June 1 - Contacted SME to request authorization to verify vulnerabilities have been remediated. No response.
  • June 8 - Contacted SME again to request authorization to verify vulnerabilities have been remediated. No response.
  • June 21 - Contacted SME requesting confirmation that the vulnerabilites were remediated. No response.
  • August 26 - Two CVE numbers were assigned via MITRE.

CVEs

I applied for two CVE numbers from MITRE for the above vulnerabilties:

Vendor of the product(s) info
Florida Fish and Wildlife Conservation Commission

Product
Fish | Hunt FL

Version
< 3.8.0

Vuln 1:

    Other vulnerability type info
    CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)

    Impact info
    Information Disclosure

    Affected component(s)
    View License function

    Attack vector(s)
    An authenticated user can change the "customerId" parameter in a POST request to the "getcustomerlicense" endpoint, allowing other users to retrieve other people's personal information and images of their hunting/fishing licenses. 

    Suggested description of the vulnerability for use in the CVE info
    An insecure, direct object vulnerability in hunting/fishing license retrieval function of the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier allows a remote authenticated attacker to retrieve other people's personal information and images of their hunting/fishing licenses.

    Discoverer(s)/Credits info
    Camden Jace Powell

Vuln 2:

    Other vulnerability type info
    CWE-613: Insufficient Session Expiration

    Other impact
    Session reuse and theft

    Affected component(s)
    Entire application

    Attack vector(s)
    An attacker can reuse, spoof, or steal the non-expiring "Authorization" parameter in API communications. 

    Suggested description of the vulnerability for use in the CVE info
    An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.

    Discoverer(s)/Credits info
    Camden Jace Powell

CVE-2021-33981 has been reserved for the insecure, direct object vulnerability.

CVE-2021-33982 has been reserved for the insufficient session expiration vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment