Hello, I am here to report a potential security issue in the server-side of the 'Follow App'.
There is an API that allows checking a user's subscription status.
However, this API also inadvertently exposes the user's inbox status.
Using my user ID as an example, it's quite easy to view the following information:
https://api.follow.is/subscriptions?userId=56943751573820416
...
{
"inboxes": {
"type": "inbox",
"id": "guest",
"secret": "Jqg7gDb6wpq2Wi1bbc2WD",
"title": "guest"
},
"feedId": "inbox-guest",
"title": "guest",
"userId": "56943751573820416",
"inboxId": "guest",
"view": 0,
"category": null,
"isPrivate": false
}
...I believe that the "secret" within this should not be exposed, and furthermore, it should not include the user's "inbox" subscriptions.
There are multiple places where other user IDs can be obtained.
For example, "Follow"'s ID 41469671337837568
https://api.follow.is/subscriptions?userId=41469671337837568
...
{
"inboxes": {
"type": "inbox",
"id": "followme",
"secret": "BZw***************AMlk",
"title": ""
},
"feedId": "inbox-followme",
"title": "",
"userId": "41469671337837568",
"inboxId": "followme",
"view": 0,
"category": null,
"isPrivate": false
}
...Proof of Concept:
For privacy reasons, I have manually redacted the relevant information.
the sha1 hash of the "secret" content is:
5540952595d1d92110fe74522a9830eccbc1a5cd
I think being able to obtain someone else's "Secret" is definitely not a good thing. If this is a security issue, I hope it can be fixed.
Hello, I am here to report a potential security issue in the server-side of the 'Follow App'.
There is an API that allows checking a user's subscription status.
However, this API also inadvertently exposes the user's inbox status.
Using my user ID as an example, it's quite easy to view the following information:
https://api.follow.is/subscriptions?userId=56943751573820416
I believe that the "secret" within this should not be exposed, and furthermore, it should not include the user's "inbox" subscriptions.
There are multiple places where other user IDs can be obtained.
For example, "Follow"'s ID 41469671337837568
https://api.follow.is/subscriptions?userId=41469671337837568
Proof of Concept:
For privacy reasons, I have manually redacted the relevant information.
the sha1 hash of the "secret" content is:
5540952595d1d92110fe74522a9830eccbc1a5cd
I think being able to obtain someone else's "Secret" is definitely not a good thing. If this is a security issue, I hope it can be fixed.