Our team occasionally scans APIs for various customer and research purposes, or in connection with a specific request. As we do this, we sometimes find vulnerabilities from third-party organizations. This article is part of an ongoing series of posts following some API vulnerabilities FireTail researchers have uncovered in the process…
FireTail researcher Viktor Markopoulos discovered a vulnerability in a European Shipping Company’s APIs that allowed him to download internal files without authentication. He was also able to find the exposed register and login calls, but couldn’t find a way to use them without the web app the API links to.
The JWT of the API was very weak, with an “alg” of “none,” meaning he could forge one of his own to get in. Viktor also found a couple of webshells in the downloaded files, meaning that probably someone had already tried to hack MSC, or may have even succeeded.
Furthermore, Viktor was able to successfully register an anonymous user due to weak secrets on the user regulation API. He was also to generate a user token to retrieve information without using the registration.
He also attempted to retrieve further information from the user API but was unsuccessful. However, he retrieved and downloaded multiple internal files without authentication.
These vulnerabilities have been reported to MSC, but so far, no action has been taken.