Disclaimer:
During my exploration of the websites for Moodi and Techfest, the cultural and tech festivals of IIT Bombay scheduled for December 2023, I discovered vulnerabilities. Despite multiple attempts to contact the technical and event coordinators for resolution, I received no response. I have shared the list of vulnerabilities with them. It's essential to clarify that my testing was conducted ethically, without any malicious intent. All identified vulnerabilities were tested on my fictitious accounts, ensuring the safety of real user accounts.
While registering for a Moodi event, I noticed a significant delay in the process. Intrigued by this anomaly, I inspected the network tab and discovered a pending response. Curiosity led me to delve deeper, uncovering a trove of vulnerabilities. Here's a breakdown of what I found.
The Vulnerabilities:
When registering your email on Moodi at https://my.moodi.org/register, you input your email and password and receive an OTP in your email for verification. The issue lies in the fact that the OTP is validated client-side, not server-side, as it resides in the response body of the /sendOtp request.
Upon inspecting the network tab, it became evident that Moodi's OTP verification process is vulnerable. Even without opening the inbox, an individual could input the correct OTP obtained from the network tab. This flaw allows for the registration of any email on Moodi, rendering the OTP verification process entirely bypassable.
HTML Injection in College Connect Program:
Moodi's College Connect program utilizes the https://jarvis.moodi.org/email/sendRegMail endpoint for sending registration emails. A notable vulnerability arises from the lack of sanitization in the name field, allowing for HTML injection. Consequently, any email can be sent, including malicious content, by injecting HTML from the official [email protected] email.
Techfest's Backend: CSRF Token Weakness
While exploring Techfest's backend, it was discovered that an attacker could register individuals for events without permission. Although HTML injection wasn't successful here, a critical flaw exists in the CSRF token validation. The system checks for token validity but fails to verify if the token is associated with the corresponding email address.
Techfest's Debug Mode Oversight
Techfest's website had a fundamental error—debug mode in Django was enabled. In a production environment, this is a severe oversight. Debug mode not only reveals available endpoints but also discloses detailed error traces, code snippets, and backend settings. This information, accessible for months, allowed a deep understanding of the codebase, including the use of SQLite3, Django version, and even the IP address of the EC2 instance.
Veronica Subdomain Exposure: Severe Data Breach
On the subdomain veronica.moodi.org, which houses the backend of previous Moodi editions, a critical data breach was uncovered. The /media/ route was accidentally exposed, revealing a .csv file containing personally identifiable information of 58k individuals from the last Moodi. Additionally, another .csv included the details of 20k emails used in their mailing list. This incident qualifies as a severe data breach, exposing a substantial amount of sensitive information.
Conclusion:
All identified vulnerabilities have been reported to the respective tech coordinators, and it is anticipated that they have been addressed. This case underscores the importance of incorporating basic cybersecurity principles, particularly when developing medium to large-scale projects. It serves as a stark reminder of the potential consequences of overlooking security measures in the digital landscape.
0 Comments