what you don't know can hurt you

OvulaRing 4.2.2 Broken Object Level Authorization

OvulaRing 4.2.2 Broken Object Level Authorization
Posted Nov 9, 2020
Authored by Tobias Glemser | Site secuvera.de

OvulaRing web application version 4.2.2 suffers from a broken object level authorization vulnerability.

tags | advisory, web
MD5 | a4d2f3d8f3deb95903e052373bad61ab

OvulaRing 4.2.2 Broken Object Level Authorization

Change Mirror Download
secuvera-SA-2020-01: Broken Object Level Authorization Vulnerability in OvulaRing-Webapplication

Affected Products
OvulaRing Webapp Version 4.2.2 (older releases have not been tested)

References
https://www.secuvera.de/advisories/secuvera-SA-2020-01.txt
https://owasp.org/www-project-api-security/ API1:2019 Broken Object Level Authorization

Summary:
"OvulaRing is an easy and accurate way to find out about your cycle health and to accurately determine your fertile days - developed by gynecologists and suitable for all cycle types."
According to the privacy statement only the following data is being stored:
- Number of current Sensor
- Username
- Password
The Username is individually generated and printed on each package. To be
able to reset the password, a user is able to save an "E-Mail-Hash". If this
is done correctly, there is no correllation between the data measure and
stored and personal data. The design strongly seems to follow the "privacy
by default" rules.

The privacy statement also declares, access to the Sensors (SNS) data is only
granted to the individual user. This is wrong. Due to a broken object level
authorisation, anyone with access to the application is able to access any
sensor data.


Effect:
Anyone with access to the application is able to read other SNS-Data. The SNS-ID
seems to be auto incremented.

Attack:
Login with the demo user account or demo doctors account. Use the example given to
brute-force the SNS-IDs. A good starting point seems to be 32-00000. Increment by 1.
If you found an SNS with data, here's a way to browse the data sets more comfortable:
Login again as demo user or demo doctor. As soon as the users original SNS-ID is sent
to the browser, subsitute with the one, you want to have a look at.

Example:
GET /v3/data_series?callback=$Something&access_token=$Something&sns%5B%5D=$dDesiredSns&level=1&from=$UnixTimestamp&to=$UnixTimestamp&mode=default&fine=true
Sends back measurepoints over the time given in the call for the SNS-ID.

Solution:
Fixed in Version 4.2.8

Disclosure Timeline:
2020/07/16 vendor contacted
2020/07/16 vendor response
2020/07/23 vendor verified vulnerability
2020/08/09 vendor sent informational update
2020/10/16 vendor informed about the fixed version
2020/11/06 public disclosure




Mit freundlichen Grüßen

Tobias Glemser

+49 7032/9758-15 (Telefon)
+49 7032/9758-30 (Fax)
--
#secuvera: cyber: talk: Wöchentliche kostenfreie Webinare. Nächste Themen:
- Senden Sie Ihre Wünsche an info@secuvera.de
https://www.secuvera.de/cyber-talk
#Socialmedia
https://twitter.com/secuveragmbh
https://www.linkedin.com/company/secuvera-gmbh
https://de-de.facebook.com/secuveragmbh

#Rechtliche Informationen
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
www.secuvera.de

Registergericht: Amtsgericht Stuttgart HRB 241704
Geschäftsführer: Tobias Glemser, Reto Lorenz



Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close