Critical vulnerability on TP-Link service or how I got 0$

Introduction

As a dedicated security researcher, I often devote my spare time to exploring the world of bug bounty programs. While traditional platforms offer valuable opportunities, I also extend my investigations to public systems of popular vendors.

Recently, I made a discovery on a TP-Link subdomain that exposed highly sensitive user information that included plaintext passwords. Unlike some articles that begin with stories of substantial bounties, my story showcases the reality that sometimes all you receive is a simple “Thank you” instead of a monetary reward.

Nonetheless, I am pleased that the security measures have been taken, and this flaw has been rectified. Consequently, I am grateful for the opportunity to share my findings through this article.

The issue was reported to TP-Link. Proper security measures were taken before the publication. All information below has been appropriately censored to uphold confidentiality and maintain ethical standards.

Registration and Manual Account Review

I began the journey by registering on the TP-Link subdomain, related to business customer service and was expecting a seamless registration process.

Registering

However, upon completing the registration, a message appeared indicating that accounts undergo manual review before being approved.

Manual approval is required

And was true, logging in with freshly created account was impossible:

Logging in

Bypassing account verification

To explore further, I decided trying to bypass the account verification stage.

By visiting the “forgot password” page and entering the registered email address I requested a password.

Restoring a password

The email with a new temporary password was received:

Temporary login password email

Using the provided temporary password for login, I was directed to the profile edit page to set a new password.

Setting up a new password

This process successfully bypassed the manual approval step, highlighting a vulnerability. I was inside.

Successful login

Leaking Sensitive Information

After gaining access to the account, I began inspecting the API calls made by the application. It was discovered that the API request for retrieving profile information included the plaintext password, which itself posed a security risk.
However, I noticed that the profile information was requested by a user ID, which appeared to be an iterator.

Getting current profile information

I attempted to manipulate the user ID. By substituting different numbers in the API request, a critical flaw was exposed — the ability to access any user info, including admin user’s credentials. It was an IDOR.

IDOR (Insecure Direct Object Reference) vulnerability is a security flaw that occurs when an application allows direct access to internal objects or resources without proper authorization, enabling attackers to manipulate or access unauthorized data.

Admin user credentials exposed

So it means that by running a simple intruder attack a malicious actor may download all user profiles along with their passwords. This vulnerability posed a severe threat to the privacy and security of users’ information. Morover, risks are very high because this is an active resource, that is used by TP-Link business customers.

Automating the attack

Potential risks

1. Account Takeover: By leveraging the compromised credentials, malicious actors can gain full control of user accounts, allowing them to manipulate settings.
2. Data Breach: The leaked sensitive user information, including plaintext passwords, provides an avenue for unauthorized access to personal data. Malicious actors could exploit this information for identity theft, financial fraud, or other nefarious purposes.
3. Social Engineering Attacks: Armed with user credentials, attackers can launch targeted social engineering campaigns. They might impersonate legitimate users, deceive others into revealing sensitive information, or gain trust to exploit individuals or organizations further.
4. Password Reuse Attacks: Many individuals tend to reuse passwords across different accounts. Attackers can leverage the obtained credentials to attempt unauthorized access to other online services, potentially compromising additional accounts and sensitive information.
5. System Compromise: With administrative credentials in hand, malicious actors can gain control over the underlying system infrastructure. This may lead to unauthorized modifications, data manipulation, or even complete system compromise, posing a significant threat to the organization and its users.

Reporting

Following the discovery of the critical security vulnerabilities on the TP-Link subdomain, I promptly reported the issue to TP-Link support. I am pleased to report that they acknowledged the seriousness of the matter and took immediate action to address the vulnerabilities.

Measures are taken

Through their response, TP-Link demonstrated their commitment to ensuring the security and privacy of their users. I conducted a quick test to verify the effectiveness of the implemented security measures, and it seemed that the necessary steps have been taken to protect user information.

While this particular investigation did not result in a monetary reward, the satisfaction of knowing that I have contributed to making the digital world a bit more secure is invaluable.

No bounty this time:(

🌐 My social networks: https://linktr.ee/s_novoselov