Godaddy User Emails Leaked Due To API Misconfiguration
Description:
A vulnerability has been discovered in the POST /v3/membership/check_v_pin_new HTTP/1.1 request to the Host: api.go.co, which can potentially leak sensitive information, including the email address associated with the user_id.
By changing the “user_id” parameter in the request from a legitimate value to “1”, it is possible to leak sensitive information.
Steps to Reproduce:
- Go to https://www.go.co/freebies/signup.
- Enter a valid, non-registered email address and intercept the HTTP request.
- Send the request to the intruder/repeater and start to brute-force.
Original HTTP Request:
POST /v3/membership/check_v_pin_new HTTP/1.1
Host: api.go.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 32
Origin: https://www.go.co Connection: close
Referer: https://www.go.co/
Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
{
“user_id”:”33054",”pin”:”1234”
}Modified HTTP Request:
HTTP Response with leaked E-mail:
Similarly, we can brute-force the user ID, which may lead to massive email leakage.
Impact: This vulnerability can result in the massive email leakage of personal and confidential information contained in emails. This information can be used for malicious purposes, such as identity theft, fraud, phishing attacks, and spam.
Timeline:
- 30th Jan, 2022: Report sent to GoDaddy VDP.
- 31st Jan, 2022: First response from H1 triage and marked as Pending Program review.
- 2nd Feb, 2022: Triaged by GoDaddy Team.
- 1st March, 2022: Fixed by GoDaddy Team.
