Put.io API design issues - I can haz your files

Put.io is a great torrent cloud storage service that allows to almost instantly stream videos you download from a Torrent.

Their API is pretty powerful, and allows easy integration in software, browser extensions and plugins for multimedia appliances. I was reading its documentation and unfortunately quickly found out that the design was open to sensitive data exfiltration by just making an unsuspecting logged-in user visit a malicious web page.

Furthermore, it was possible to perform actions on behalf of the user, such as sending and accepting friend requests, adding, deleting and sharing files and folders, and so on.

Update - Put.io response: Hasan from Put.io quickly replied to my email and confirmed they were working on a fix. On August 6 they confirmed they dropped JSONP and cookie authentication out from the API endpoints completely. Thanks put.io, great job!

That looks bad. How comes?

This is because they used to allow JSONP, which is a cross-site script inclusion (XSSI) by design, on tokenless requests, relying on cookie authentication only. Furthermore, there were several actions with side effects vulnerable to cross-site request forgery (XSRF).

For instance, I found out that POST/GET /friends/<username>/request worked with just the cookie (and no token).

This means that any HTML page on the web could do this:

< img src = "https://api.put.io/v2/friends/mikispag/request" >

and any logged in user to put.io would send a friend request to me. This is a XSRF vulnerability, and there were many more.

As I previously said, JSONP is XSSI by design. This means that if you put sensitive data in the output of a JSONP endpoint, and the request does not need any token, any site can read (and log/exfiltrate) the response via the callback function.

I prepared a harmless proof of concept to demonstrate how bad this was. Of course it no longer works, but it was meant to be opened in a browser in which you are logged in to put.io:

It will print your username, email address, data plan with expiration date, disk usage, and by visiting that webpage you just sent a friend request to me, shared all your files with every friend, downloaded the pilot of Mr. Robot to your root folder and created a “HACKED” directory. All the data could also be logged to a remote database, of course.

It does not require any user interaction, it’s just a matter of visiting a URL.

HTML code for the Proof of Concept