Unprotected API could expose names, places, times of bookings made using app

Easy!Appointments access control vulnerability exposed sensitive bookings info

An access control vulnerability in open source scheduling platform Easy!Appointments gave unauthenticated attackers easy access to personally identifiable information (PII), a security researcher has revealed.

Now patched, the critical flaw (CVE-2022-0482) arose from a lack of authentication in a backend API used to populate the user’s calendar.

The bug was discovered by Francesco Carlucci, founder of OpenCIRT, a vulnerability notification platform currently in beta mode.

Carlucci found that ajax_get_calendar_events() passed just three parameters – startDate, endDate, and csrfToken – and that attempting to remove all cookies from his request returned a 403 response.

He then discovered that malicious hackers could grab a CSRF token by simply visiting the public bookings form, before querying the unprotected API and downloading data pertaining to appointments.

The vulnerability, which Carlucci has documented in a technical write-up, has a CVSS score of 9.1.

Attack scenarios

There are multiple attack scenarios, said Carlucci. “First of all, the attacker has access to a whole set of personal information, provided by the user during the booking process,” he told The Daily Swig.

“This includes phone number, physical address, city... all juicy information that can be used for identity theft and ‘password recovery attacks’ on other websites.

“Then of course, the attacker knows who the user is meeting and why, and this can be very personal based on the purpose of the booking.”

Catch up on the latest open source software security news

He continued: “Last but not least, the HTTP response included the ‘reference’ (hash) of the booking, which can be used by the attacker to cancel the booking on behalf of the user (on a different endpoint: index.php/appointments/index/{hash}). An attacker can automate this to loop through bookings and wipe out the whole booking database.”

Easy!Appointments, which is also available as a WordPress plugin, has been downloaded more than 100,000 times.

The appointment management system is based on CodeIgniter, which Carlucci says is riskier than alternative PHP frameworks such as Laravel because developers have to code their own authentication and other basic features.

Carlucci said that there are “several thousand instances still unpatched on the web”, and that while there was no evidence of active exploitation yet, this could change “anytime soon”.

Updates and bug detection

Carlucci submitted a vulnerability report to open source bug bounty platform Huntr and Easy!Appointments’ main developer Alex Tselegidis on January 30.

Tselegidis patched the issue in Easy!Appointments 1.4.3, which was released on March 8. All previous versions are affected.

Tselegidis has provided a patch utility script that automates the updating process for users who are otherwise unable to update.

The developer, who Carlucci praised as “really responsive and cooperative”, also “performed a full security review” that addressed several other minor security issues.

Carlucci, who earned a “small” bug bounty reward for the find, has published a Nuclei template to help security researchers detect the vulnerability, and warned “a couple of big NGOs that were using the software for booking Covid-19 vaccines”.

Tselegidis told The Daily Swig he was “thankful of the community feedback and support for such cases”.

YOU MIGHT ALSO LIKE PacketStreamer: New tool can aid research by revealing potential hacking behaviors