I’ve found again! a new IDOR vulnerability (Insecure Direct Object References) in Shodan, the popular search engine for internet-connected devices. This flaw lets users generate detailed reports or access restricted query results without proper authentication or permissions. In short, it’s a textbook case of broken access control, putting sensitive data at risk of exposure to unauthorized users.
This isn’t my first time discovering an IDOR issue on Shodan. After a previous discovery, I’ve now identified another major vulnerability that points to ongoing problems with their access control mechanisms.
SHODAN — INSECURE DESIGN BROKEN ACCESS CONTROL | by MixBanana | Dec, 2024 | Medium
Affected Feature
Report Generation and Access
- Endpoint:
https://www.shodan.io/search/report?query=
- Parameter:
query
- Accessible to: Academic Users, Small Business API Subscription, and up.
How It Works
The vulnerability lies in how Shodan handles its query
parameter. By tweaking this parameter in the report generation URL, users can bypass access controls and retrieve detailed Shodan reports. Normally, this feature is exclusive to registered or paid accounts, but with this flaw, anyone can access it.
Proof of Concept (PoC)
Steps to Exploit:
- Go to this URL:
https://www.shodan.io/search/report?query=vuln%3Acve-2021-34473
- Replace the
query
parameter with any search term of your choice. For example:
- Change
vuln%3Acve-2021-34473
toquery=vuln:cve-2023-12345
to fetch reports about a specific CVE.
Example URLs:
- To pull vulnerability data:
https://www.shodan.io/search/report?query=vuln%3Acve-2023-12345
- To pull honeypot reports:
https://www.shodan.io/search/report?query=tag%3Ahoneypot
Impact
Here’s why this vulnerability is a big deal:
- Unauthorized Access: Anyone can generate detailed Shodan reports, bypassing paid membership tiers.
- Sensitive Data Exposure: The flaw allows unrestricted access to powerful data aggregation tools.
- Potential for Malicious Use: The data could be exploited for harmful purposes, like targeting vulnerable devices.
Credits: Sahar Shlichove.