User Enumeration Vulnerability
It is possible to determine whether or not a given username is valid via the /api/req_reset_pwd endpoint on api.positivegrid.com.
If a username is valid, a 200 response is returned. If not, a 500 response is returned with a json body stating that the user does not exist.
Due to improper rate limiting (discussed further later in this document), it is possible for an actor to supply an arbitrary list of usernames/emails in order to determine a user's existence. This could facilitate a credential stuffing attack.
Lack of rate limit or captcha regarding account creation
User accounts are created by sending a POST request to the /v2/user endpoint on api.positivegrid.com. A sample request is as follows:
POST /v2/user HTTP/1.1
Host: api.positivegrid.com
Cookie: express:sess=redacted; express:sess.sig=redacted
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: Spark/2.0.2 (com.positivegrid.jamupeditor; build:3846; iOS 14.3.0) Alamofire/4.8.2
Accept-Language: en-US;q=1.0
Content-Length: 162
Connection: close
[email protected]&full_name=bug%20hunters&password=password&username=username
As there is no captcha or validation process prior account creation/activation, it is possible for a malicious actor to create an arbitrary number of accounts. This is only limited by the services overall rate limiting, which is trivially bypassed and will be discussed later in this document.
Brute Forcing Passwords
Due to the lack of sufficient rate limiting, captchas, or other such limits, a malicious actor can attempt to brute force an account by submitting an arbitrary number of login requests such as the following:
POST /v2/auth HTTP/1.1
Host: api.positivegrid.com
Cookie: express:sess=redacted; express:sess.sig=redacted
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: Spark/2.0.2 (com.positivegrid.jamupeditor; build:3846; iOS 14.3.0) Alamofire/4.8.2
Accept-Language: en-US;q=1.0
Content-Length: 47
Connection: close
password=password123e&[email protected]
Lack of sufficient rate limiting
The api.positivegrid.com endpoint does not appear to have sufficient rate limiting. About 500 requests are able to be send by a single IP address before hitting a limit and receiving a response stating that too many requests have been made. The limit appears to be reset within a minute or two of being hit, which immediately allows another 500 requests to be made. This means that a malicious actor can send an arbitrary number of requests by rotating requests between a small handful of ip address.
Potential Information Disclosure
While the Spark app does not currently have the ability to view other users' profiles, the profile image functionality could potentially cause an information disclosure of user information (namely the user's IP address) by forcing a client-side request to an arbitrary URL.
To demonstrate, when creating an account, it is possible to supply a "profile_image_url." When viewing your own profile (currently the only profiles viewable within the Spark app itself), a request is sent from the client application to the target URL.
The following request can be used to create a new account with a poisoned URL:
POST /v2/user HTTP/1.1
Host: api.positivegrid.com
Cookie: express:sess=redacted; express:sess.sig=redacted
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: Spark/2.0.2 (com.positivegrid.jamupeditor; build:3846; iOS 14.3.0) Alamofire/4.8.2
Accept-Language: en-US;q=1.0
Content-Length: 162
Connection: close
[email protected]&full_name=bug%20hunter&password=password&username=username&&profile_image_url=https://somerandomtrackingsite.tld/
Possible disclosure of unreleased functionality
By utilizing the beta-api.positivegrid.com endpoint, it is possible create accounts as per the standard methods on api.positivegrid.com. This may lead to the exposure of unreleased functionality. For example, it appears as though the beta api indicates that user comments on tonecloud presets may be in development as per the "preset_comments" field below and other items on the preset endpoints themselves:
{"user_status":1,"user_role":1,"_id":"redacted","email":"[email protected]","id":"redacted","userprofile":{"full_name":"bug hunters","first_name":null,"last_name":null,"title":null,"gender":null,"profile_image_url":"https://somerandomtrackingsite.tld/","profile_thumb_url":null,"_id":"redacted","date_joined":"2022-01-12T20:28:48.299Z"},"presets":[],"preset_comments":[],"liked_presets":[],"num_preset_comments":0,"num_liked_presets":0}]
Other potential leaks include references to unreleased products, such as a Spark 10, which was confirmed to be the Spark Mini post-release.