Headline
Fastly Secret Disclosure
Fastly suffers from the poor practice of sending a temporary password in plaintext.
Correspondence from Fastly declined to comment regarding new discovered
vulnerabilities within their website.
Poor practices regarding password changes.
- Reset user password
- Access link sent
- Temporary password sent plaintext
// HTTP POST request
POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[…]
[…]
{"g-recaptcha-response":"03AFY_a8UY[…]"}
[…]
// HTTP response
HTTP/2 200 OK
Cache-Control: no-store
[…]
// HTTP GET request
GET
/auth/user/3lWtx49FrV2…/password/reset/f496875e6e1d88d80aa5…/1677948661/2f2ea8d230adaf03bd749081d…
HTTP/2
Host: manage.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[…]
// HTTP response
HTTP/2 200 OK
Cache-Control: public, max-age=60, stale-if-error=1209600,
stale-while-revalidate=600
[…]
Weak Pwd requirements
- Login to user account
- Click Account -> Personal Profile
- Select Change Password -> Current Password -> FastLy%2540!1M
- Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P
- Select Sign Out Option
- Login with new password
// HTTP POST request
POST /oauth/password HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[…]
[…]
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%
40gmail.com
[…]
// HTTP response
HTTP/2 401 Unauthorized
Status: 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
[…]
[…]
{"msg":"Token 3kzBPKXbsbtZBl9…"}
[…]
// HTTP POST request
POST /oauth/access_token HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[…]
[…]
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%
40gmail.com
[…]
// HTTP response
HTTP/2 200 OK
Status: 200 OK
[…]
[…]
{"id":"7IU53vPHZ…",
"name":"manage.fastly.com browser session",
"user_id":"3lWtx49FrV…",
"customer_id":"535znFHg…",
[…]
"token_type":"bearer",
"scope":"global",
"services":[],
"access_token":"qwdBQF43O…"}
[…]