BIG SECURITY ISSUE WITH HUNTRESS SAT API
R
Radu Stănciulescu
Hello Team,
I also reported this on e-mail but it fell to deaf ears. Today I discovered another security issues with Huntress SAT API.
If you really give a dime about security please start working on them:
- API scoping is dynamic when it shouldn't > This means if someone gets the API clientID and secret they can elevate permissions (and its not hard at all to get the secret as you'll see below). Lets say I create a client & then through a breach an attacker gets a hold of the client id and pass - using Huntress documentation he can add more scopes thus allowing him to move laterally. (e.g lets say I use the client with scope learners:manage to add new learners. If someone gets the client app and pass, using the Huntress API reference it can elevate the clients scope to assignments:learner-activity to check each user's traning results and send phishing e-mails to the ones with lower results which significantly increases the chances of a second breach)
- Client secrets can be viewed at any time - the secrets should only be viewable at creation time and this has been the default for all modern apps for ages. This limits the window of opportunity in case of a breach. Without it attackers can maintain persistence without anyone even noticing.
Dima Kumets [Product Manager - Huntress]
Merged in a post:
Unsecure scope management
R
Radu Stănciulescu
Hello Team,
When you create a API client & password you are not allowed to select the scope which is setup at runtime when requesting an access token. The issue with this approach is that in case an attacker gets the credentials it can easily change the scopes thus allowing him to move laterally - e.g get the results of all phishing/training campaigns and target specific users which can lead to other breaches. Besides that there's a real possibility of an insider threat doing something malicious - a disgruntled IT worker who has access to the credentials and decides to change the scope in order to gain unauthorized access to training data etc
Imagine if this mechanism worked at Microsoft and you have a client app that only has mail.read permissions and someone just by reading the documentation can elevate to global admin.
App scoping should be decided at client creation time not dynamically.
Dima Kumets [Product Manager - Huntress]
Thank you for the heads up. Engineering will review this with the internal security team. However, I want to point out that the Huntress SAT/Curricula API does not have the capabilities to manage learners. It is pretty limited in scope with little opportunity for "lateral movement."