This is how (easily) Indiamart gave away access to their Internal corporate secrets and Dev Instances - Andmp | A blog about infosec, bug hunting and more!

"Good artists copy; great artists steal."

Just another web hacking and vulnerability research blog that details how I use existing knowledge and old ways to discover new vulns ;)

Breaking

ad

Post Top Ad

Tuesday 23 April 2019

This is how (easily) Indiamart gave away access to their Internal corporate secrets and Dev Instances

I tried to reach out to the IndiaMart folks regarding the security issues I found there but sadly didn't find a proper channel to report them.  (with the help of Mohit Kumar, editor of THN, a contact was established with the company today, after all my efforts to reach out to them went in vain) As a result, I 'm taking to Twitter and using this blog post as a medium to reach out to all those top companies who have a large number of users but apparently don't care about secure practices. I hope this blog post raises awareness about such issues, since many companies continue to expose sensitive parts of their infrastructure and customer data, and as such this may serve as an eye-opener for them.


Another interesting point to note here is that AFAIK the Indian NCIIPC or, CERT-IN don't have any full disclosure/even proper responsible disclosure guidelines for reporting issues to private companies, or,  any guidelines concerning the time frame that both parties should follow/agree to before disclosing a (reported) issue. In my opinion, they should implement some policies for large companies to follow/adhere to while dealing with security incidents or, reporting security vulnerabilities in their products/infrastructure. So, I would say this way of fully disclosing issues is currently the best option to get things resolved/fixed until some policies regarding the same are brought into effect. This is how I would justify the ethics of this disclosure, if one likes to take that into account. (although this issue was hastily fixed by the company just before publication of this blog post)

Numerous such cases of breach and violent full disclosures can be referred to, to learn from. The most recent being that of Justdial who had an access control bug in an API, where the researcher failed to find a way to responsibly report and disclose the issue to the company which obliged him to publicly fully disclose it. Thus, proper policies and guidelines are needed speaking of reporting and coordinated disclosure of security issues.


Intro

Indiamart is a popular Indian e-commerce platform for B2B as well as B2C sales. It holds an Alexa rank of  ~742 (as of writing this)

(From Wikipedia)

In 2014, IndiaMART's portal handled 200 crore in revenue[6] and 20,000 crore in sales.[7][8]According to a news in Economic Times, as of 2012 IndiaMART was India's largest online marketplace[9][10] and world's second-largest B2B marketplace after Alibaba.[11][12]IndiaMART's e-commerce portal Tolexo was launched in 2014.

In early 2009, the firm received 50 crore Series A round funding from Intel Capital, a part of which was invested in IndiaMART, One97 Communications and Global Talent Track.[1][24][25][26] In March 2016, it raised Series C Funding from Amadeus Capital Partners and Quona Capital. It is claimed that these funds will be used to scale up the activities of IndiaMART and Tolexo.[27] In June 2018 IndiaMART has filled draft papers with SEBI to raise $88.24 million through IPO and list on NSE and BSE exchange.[28]


Hence, we may expect them to be mindful about the security of their sensitive internal infrastructure, taking all this into consideration, but the reality is strikingly, quite different.

Gist

I found my way through various private and sensitive internal infrastructure belonging to Indiamart quite easily. This was accomplished in hardly a few minutes of casual reconnassance, because they hardly followed any security practices, speaking of their overall infrastructure.

  • Firewalls and VPN only access to internal infrastructure was missing
  • No authentication required on the most sensitive endpoints
  • Weak credentials on endpoints and only using basic authentication where one might consider adding 2FA and restrict access to certain internal IP ranges as well.

Think of an external adversary in my place, what would he have done? Is your data secure with Indiamart's security practices (of whose example we got here)?


Issues discovered

  • Weak credentials on all dev/developer instances/subdomains, letting an external attacker gain easy access to these restricted servers. Ideally, only developers must have access to them, and they should not be kept open on the internet, the company in question should have made these accessible only through a VPN, internally among their employees. But, shockingly they just had a Basic Authentication in place, with these credentials,  --  username:password -> admin:admin
    Is it that hard to guess the credentials? The username and password both were simply "admin", cool, right?


  • Finally, their employee wiki or, knowledge base was publicly accessible without any authentication. This is pretty serious. Ask how?   
      Their internal employee knowledge base/wiki   https://kb.indiamart.com allows unauthenticated users to view it, which is meant for their employees and should have been only internally accessible. But this isn't the case, it's accessible publicly and anyone on the internet has access to these corporate secrets of Indiamart.

Through this knowledge base, employees could access internal confidential/sensitive details on how to deal with issues. For example, it contained instructions for lead managers, and so on.

In the past I had also come across an old endpoint in one of their applications that had an access control flaw leading to exposure of user details via victim user's registered phone number, but it seems to be down currently. I no longer retain the details on that.

PoC

For the knowledge base issue, this page for example, details some internal procedures for an Indiamart employee about Login issues, 



Company's internal knowledge base is strictly for internal private usage and shouldn't be publicly accessible as such

Issue with Dev instances: Upon trying these credentials,
         Username: admin
         Password : admin
on these subdomains/Dev instances, one gets access to them,

https://dev-*.indiamart.com

like, https://dev-seller.indiamart.com
        https://dev-paywith.indiamart.com

Here, "*" means a wildcard, and can be replaced with paywith, seller and other applications of Indiamart.

How I discovered it?

Using subdomain enumeration I obtained the subdomains (including internal ones that weren't firewalled) of IndiaMart. From here on, it was just a matter of luck and lack of security on the part of Indiamart that led me to discover these vulnerabilities.

SecurityTrails is just a great, and handy tool for performing quick passive reconnaissance and subdomain enumeration like this. 

Takeaways

  • Setup a VPN to shield off your internal infrastructure meant for employee-only access. Don't allow public access to them.
  • Use strong credentials and 2FA on sensitive and restricted endpoints. 

Special Credits 

I would like to thank Mohit Kumar of THN, who helped in responsible disclosure of this vulnerability and, a contact was made with an IndiaMart employee who quickly fixed all the issues.

Fix

As of writing this, all issues were temporarily fixed and the dev instances are now inaccessible. However, part of the fix is still insufficient in my opinion. 

Rewards

None as of yet. They haven't even sent a proper official acknowledgement letter to thank me for reporting the above issues.

What more could you expect from a ~20 year old multi-million dollar Indian E-commerce giant after reporting severe issues like these?










No comments:

Post a Comment

Let me know what you felt after reading the article!

Post Bottom Ad

Pages