CVE-2022-34776 in Tabit
Summary
by MITRE • 08/22/2022
Tabit - giftcard stealth. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described APIs, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a 'tiny URL' in tabits domain, in the form of https://tbit.be/{suffix} with suffix being a 5 character long string containing numbers, lower and upper case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/23/2022
This vulnerability represents a critical authorization flaw in the Tabit giftcard system that exposes sensitive personal data through improperly secured API endpoints. The security issue stems from inadequate access controls where multiple web APIs lack proper authentication mechanisms, allowing unauthorized users to access confidential information including health statements, restaurant billing history, alcohol consumption patterns, and smoking habits. The vulnerability manifests through the system's use of MongoDB ObjectIDs embedded within API URLs, which serve as identifiers for user-specific data records. These identifiers are accessible through the system's URL structure, specifically within the tabits domain's tiny URL format at https://tbit.be/{suffix} where suffix is a 5-character string composed of alphanumeric characters. The vulnerability classification aligns with CWE-284 Access Control Issues, specifically CWE-285 which addresses insufficient authorization checks.
The technical exploitation of this vulnerability demonstrates a classic case of insecure direct object reference (IDOR) where the system fails to validate user permissions before exposing sensitive data. The MongoDB IDs embedded in the API endpoints provide direct access to user records without proper authentication verification, creating a pathway for unauthorized data access. Attackers can leverage the system's redirect functionality to discover working URL patterns and subsequently extract MongoDB identifiers that grant access to personal information. This approach enables attackers to enumerate valid identifiers through pattern recognition and systematic testing, bypassing traditional authentication mechanisms. The vulnerability's impact is amplified by the fact that the tiny URL structure, while not easily enumerable, provides sufficient entropy to allow for targeted attacks against specific user accounts.
The operational impact of this vulnerability extends beyond simple data exposure to encompass significant privacy violations and potential identity theft risks. Users' health information, consumption habits, and personal behavioral patterns become accessible to unauthorized parties, creating potential for misuse in targeted advertising, fraud, or social engineering attacks. The vulnerability enables attackers to construct comprehensive profiles of individual users by aggregating data from multiple endpoints, violating privacy principles and potentially exposing users to targeted scams or discrimination. The system's design flaw allows for cascading information disclosure where initial access to one endpoint can lead to discovery of additional vulnerable endpoints through the MongoDB ID references, creating a chain reaction of unauthorized data access. This type of vulnerability aligns with ATT&CK technique T1071.004 Application Layer Protocol: DNS, where attackers may use the disclosed identifiers to map out the application's data structure and expand their access.
Mitigation strategies should focus on implementing robust authentication and authorization controls across all API endpoints, ensuring that proper access validation occurs before data disclosure. The system requires immediate implementation of proper session management, API key validation, and user permission verification before exposing sensitive information. Network-level protections should include rate limiting and access control lists to prevent automated enumeration attacks, while application-level defenses should enforce strict input validation and implement proper object reference controls. The use of UUIDs or randomized identifiers instead of predictable MongoDB ObjectIDs within URL parameters would significantly reduce the attack surface. Additionally, implementing comprehensive logging and monitoring of API access patterns would enable early detection of unauthorized access attempts. The vulnerability demonstrates the importance of applying the principle of least privilege and ensuring that all data access points maintain proper authorization checks as outlined in security standards such as NIST SP 800-53 and ISO 27001 controls.