Fastly Secret Disclosure

Fastly Secret Disclosure: Posted Mar 13, 2023; Authored by Andrey Stoykov; Fastly suffers from the poor practice of sending a temporary password in plaintext.; tags | exploit, info disclosure; SHA-256 | 09181b45538cae9f3688cd0f1f65f20913277a3c96827c11f9df3ad8004ab8bc; Download | Favorite | View

Fastly Secret Disclosure

Correspondence from Fastly declined to comment regarding new discovered
vulnerabilities within their website.

Poor practices regarding password changes.


1. Reset user password
2. Access link sent
3. Temporary password sent plaintext


// HTTP POST request

POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
{"g-recaptcha-response":"03AFY_a8UY[...]"}
[...]


// HTTP response

HTTP/2 200 OK
Cache-Control: no-store
[...]


// HTTP GET request

GET
/auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d...
HTTP/2
Host: manage.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]


// HTTP response

HTTP/2 200 OK
Cache-Control: public, max-age=60, stale-if-error=1209600,
stale-while-revalidate=600
[...]



Weak Pwd requirements

1. Login to user account
2. Click Account -> Personal Profile
3. Select Change Password -> Current Password -> FastLy%2540!1M
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P
5. Select Sign Out Option
6. Login with new password


// HTTP POST request

POST /oauth/password HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%
40gmail.com
[...]


// HTTP response

HTTP/2 401 Unauthorized
Status: 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
[...]

[...]
{"msg":"Token 3kzBPKXbsbtZBl9..."}
[...]


// HTTP POST request

POST /oauth/access_token HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%
40gmail.com
[...]


// HTTP response

HTTP/2 200 OK
Status: 200 OK
[...]

[...]
{"id":"7IU53vPHZ...",
"name":"manage.fastly.com browser session",
"user_id":"3lWtx49FrV...",
"customer_id":"535znFHg...",
[...]
"token_type":"bearer",
"scope":"global",
"services":[],
"access_token":"qwdBQF43O..."}
[...]

Top Authors In Last 30 Days

Red Hat 136 files
Ubuntu 97 files
Debian 24 files
LiquidWorm 10 files
Google Security Research 10 files
Muhammad Navaid Zafar Ansari 7 files
Abdulhakim Oner 6 files
fearzzzz 5 files
nu11secur1ty 5 files
Ivan Fratric 5 files

File Archives

Systems

AIX (426)
Apple (1,951)
BSD (370)
CentOS (55)
Cisco (1,919)
Debian (6,710)
Fedora (1,691)
FreeBSD (1,242)
Gentoo (4,288)
HPUX (878)
iOS (338)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,054)
Mac OS X (684)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (12,874)
Slackware (941)
Solaris (1,609)
SUSE (1,444)
Ubuntu (8,426)
UNIX (9,205)
UnixWare (185)
Windows (6,530)
Other

Fastly Secret Disclosure

Fastly Secret Disclosure

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Fastly Secret Disclosure

Share This

Fastly Secret Disclosure

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems