CVE-2022-34770 in Tabit
Summary
by MITRE • 08/22/2022
Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a ‘tiny URL’ in Tabit’s domain, in the form of https://tbit.be/{suffix} with suffix being a 5 characters long string containing numbers, lower- and upper-case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. This is both an example of OWASP: API4 - rate limiting and OWASP: API1 - Broken object level authorization. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information. For example: The URL https://tabitisrael.co.il/online-reservations/health-statement?orgId={org_id}&healthStatementId={health_statement_id} is used to invite friends to fill a health statement before attending the restaurant. We can use the health_statement_id to access the https://tgm-api.tabit.cloud/health-statement/{health_statement_id} API which disclose medical information as well as id number.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2022
This vulnerability represents a critical authorization flaw in the Tabit web system that enables unauthorized access to sensitive personal information through improperly secured application programming interfaces. The security issue manifests as a combination of broken object level authorization and insufficient access controls that allow attackers to enumerate and access private data endpoints. The system's API endpoints expose personal health information, billing records, lifestyle habits, and other confidential data without proper authentication mechanisms. The vulnerability is particularly concerning because it leverages a predictable URL structure that includes MongoDB ObjectIDs embedded within short URL patterns, making the system susceptible to enumeration attacks through systematic exploration of these identifiers.
The technical implementation of this vulnerability stems from inadequate access control validation at the application layer, where the system fails to properly verify user permissions before serving sensitive data. Each API endpoint requires specific MongoDB identifiers that are embedded within the URL structure of the short URLs, which are generated using a 5-character alphanumeric suffix. These identifiers are not properly validated for authorization, allowing attackers to discover valid ObjectIDs through various enumeration techniques and subsequently access protected data. The vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and specifically demonstrates the characteristics of OWASP API1 - Broken Object Level Authorization, where the system fails to verify that the requesting user has proper authorization to access specific objects.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates a chain reaction of information disclosure through interconnected API endpoints. The redirect mechanisms within the system inadvertently disclose MongoDB ObjectIDs that can be used to access multiple related endpoints, creating a cascading effect of unauthorized data access. Attackers can exploit these vulnerabilities to access health statements, previous bills, alcohol consumption records, and smoking habits of users, potentially leading to identity theft, targeted attacks, or other malicious activities. The vulnerability also demonstrates characteristics of OWASP API4 - Rate Limiting, as the system does not implement proper rate limiting mechanisms to prevent automated enumeration attacks, making it easier for attackers to systematically discover valid identifiers.
The security implications of this vulnerability are particularly severe given that it exposes medical information, personal health records, and lifestyle data that could be used for various malicious purposes including insurance fraud, targeted phishing attacks, or social engineering. The system's architecture fails to implement proper input validation and access control checks, allowing unauthorized users to bypass authentication mechanisms entirely. The short URL generation system provides attackers with a relatively simple method to discover valid identifiers, as the 5-character alphanumeric suffixes offer sufficient entropy for systematic enumeration while remaining manageable for automated attacks. This vulnerability directly violates the principle of least privilege and demonstrates a fundamental lack of proper authorization controls in the web application's API layer.
Mitigation strategies for this vulnerability should include implementing robust object-level authorization checks that validate user permissions before serving any sensitive data, regardless of the URL structure or identifier used in the request. The system must validate that each request originates from an authorized user with appropriate privileges to access the specific data object referenced by the MongoDB ObjectID. Additionally, implementing proper rate limiting and request throttling mechanisms can help prevent automated enumeration attacks, while also incorporating input validation to ensure that all identifiers conform to expected patterns and are properly authenticated. The short URL system should be redesigned to eliminate the exposure of internal ObjectIDs and instead use opaque identifiers that cannot be easily enumerated or guessed. Organizations should also implement comprehensive logging and monitoring of API access patterns to detect and respond to unauthorized access attempts, as well as establish proper access control policies that enforce the principle of least privilege across all application interfaces.