Access to some admin endpoints with OAuth client credentials
The target is a fintech company that can centralize payments for companies and employees. It is a private program, so let me call it target.com.
I installed target’s iOS app and started poking around. An authentication process is implemented as an OAuth token request with a ‘password’ grant type.
The request looks like this:
POST /oauth/authorization/login HTTP/1.1
Host: auth.target.com
Content-Type: application/json
Connection: close
Accept: application/json
User-Agent: iPhone; CPU Apple OS 14.1 like Mac OS X; iPhone9,3
Authorization: Basic WFhYWFhYWFgtZTI0OS00ZDRkLWEzOWItWFhYWFhYWFg6WFhYWFhYWFhDMFdEWGhnTGNKc04xaE5zWFhYWFhY
Accept-Language: en-us
{"email":"[email protected]","password":"passw0Rd"}
OAuth client credentials (‘client_id’ and ‘client_secret’) are encoded in base64 in the ‘Authorization’ header.
I did not find how to obtain an access token for the application, so I decided to test with the header as-is. Fortunately, the target has Swagger API documentation, so my next steps were to request API endpoints with the credentials.
When I finished, I have two juicy endpoints.
The first one looks like /rest/v1/companies/{companyID}/provider and returns a description of all company employees' expenses includes merchants and amounts.
The companyID is presented in UUID format and not guessable.
So there is the second request /rest/v1/settings/provider that returns all companies (1760 records) activated this particular provider.
Timeline:
- Jan 24th, 2021: reported.
- Jan 25th, 2021: triaged as High, rewarded, and resolved.
