I found a vulnerability within the popular platform that allows one to access some membership features without even having a registered account. That is an example of Insecure Direct Object References, an important security vulnerability exposing sensitive data.
Affected Membership Packages: Academic Users, Small Business API Subscription, and up.
Filter query: vuln (Restricted), tag (Restricted)
How It Works: The URL parameters can be tampered with to bypass access controls and retrieve information intended for higher-tier members. For example, using any restricted params in the URL and allows grouping the result set by IP addresses without the membership normally required for this action.
IDOR Links:
You can use any Shodan query filters without the need of registered Shodan account and also use the enterprise query filters such as ‘vuln’ or ‘tag’.
- https://www.shodan.io/search/facet?query=vuln%3Acve-2021-34473&facet=ip
- https://www.shodan.io/search/facet?query=tag:honeypot&facet=ip
(You need to change the CVE you want to search in the URL and you can also to choose how you want to group the list with facet parameter. in this example I used to group them for IP’s.
Proof of Concept (PoC):
Reporting and Responses
I immediately reported this issue to the Shodan platform owners and they acknowledged the vulnerability.
Credits: Sahar Shlichove.