Security researcher Rayhan Ahmed firstname.lastname@example.org mailed us the following. I'm pretty sure the API's can be open as they are now, but it would be nice to have this confirmed by somebody working on this project.
Hello Team, I want to report 3 of my findings which I think are some security vulnerabilities in your Django API of "My Data Done Right". I am not 100% sure if you would consider them as serious security issues, so apologies in advance if I am mistaken.
Rest APIs are accessible by anyone:
The Django rest API is enabled as anonymous access, anyone can read all the organization data which is around 2094 records. here is a screenshot of one of the records: list_data.png ps: I am not sure if they are purposedly left available like that, if you think this is intentional I apologize in advance.
- Add/Update/manipulate data anonymously: I can insert new organization record anonymously via the API without any account, here is a request and response data : add_record.png
I added a new record with id: 3063, I can also see my record data is available to process in this endpoint: https://api.staging.mydatadoneright.eu/api/v1/reminders
PS: I only tested adding a new record via API anonymously on the api.staging.mydatadoneright.eu, I did not test adding new data in the main API subdomain to not cause any problem but I am sure that one is also vulnerable to this. I did not test deleting, updating data but as I can add new data and there are options to deletion, correction in here: https://api.staging.mydatadoneright.eu/api/v1/actions I presume those actions can also be done anonymously.
- staging API discloses sensitive information: If we post an invalid data type on the API endpoint and when an exception occurs in the staging endpoint, it prints out environment variables because DEBUG mode is set to True. I agree this is not a big issue since Django masked out all the Passwords from the output, but there is some information which may be considered sensitive in the response :
exception.png exception2.png I could not display all the output via screenshot but it prints all the information from the settings of Django.
These are so far my findings on that website and since it's powered by Bits of Freedom I decided to report them following the guideline from https://www.bitsoffreedom.nl/coordinated-vulnerability-disclosure-en/. Thanks and best regards, Rayhan