User id hunting

We then tried to find a user list or something that would give us a way to find a user id by providing some user info. Password reset could enumerate users by email, share device could also enumerate users existence by email or phone but was just returning a status code and nothing meaningful. We were pretty disappointed as we had a pretty nice bug that we couldn’t really use. At that point George found out that our existing credentials were also working on ezvizlife.com . Ezviz is a different (older?) cloud service for hikvision which is mostly active x so it needed internet explorer and windows (and no chrome or firefox tools).

So lets fire up a virtual machine and explore it! It’s mostly the same functionality BUT it also has another feature , you can mark a user as a friend with no interaction needed by the other user just by knowing the email or phone that the other user used upon registration (searching was using the endpoint queryByMobile.json and was returning the same status codes as the the search on hik-connect.com site).

Adding a friend

After befriending the user we saw an md5 hash in the url and started celebrating but that was wrong (bummer…).

The not a friend request

After that, we explored a couple more ways of obtaining user ids but everything was a dead end. After everything we retried queryByMobile.json and it was returning WAY more than the usual status code (WTF just happened?). Re-validating and yes we have user ids…

The friend request

It seems that after you mark a user as a friend you can query him and you get a userDTO which also has the (wanted) user id! So now we can login as any user as long as we have his email, phone number or username (endpoint was also returning data for username although there was no UI for it) and impersonate him. That is highly critical so we wrote a small report and send it to Hikvision.