As a developer I am often curious about how web pages are made. As a result I often look at the network tab in Chrome to see what kind of request are sent between the backend and the frontend. One day I was browsing the ESLGaming's web page when I noticed something out of the ordinary.
Description of the Issue
When I was looking at one of the requests I noticed the following header:
authorization: Basic xxxxxxxx. The request was not sent to their own backend but to a SAAS service called bonsai. Looking at the request body I recognized the content as an Elasticsearch query.
My initial thought was that the instance hosted at bonsai most likely was a limited to only query certain indices or read only. Out of curiosity I had to try a request to the bonsai endpoint to see if they were open to more than just querying data. I sent a GET request to the URL
https://xxxxx.bonsaisearch.net/_cat/indices?v with the
authorization header set to the same value I found earlier. The
_cat/indices endpoint returns information about the status, number of documents, storage size and the names of all the indices on the Elasticsearch instance and I got the following response:
green open videos xxx 1 1 34044 11040 157.7mb 68.4mb
My initial thought were that the token only had read access. I tried to create my own index called
test, and to my surprise it worked! The token had read, add, update and delete access to the instance. To clean up after my testing I deleted the
test index and decided that I had a proper understanding of the security issue. I didn't want to do something wrong and disturb their services by a mistake, and decided not to examine the issue any further. Next step was to get a hold of someone in ESLGaming's organization.
Getting a hold of someone in ESLGaming proved to be harder than I thought. First I used their contact form. A few months passed by without any response to my request, so I tried once more. Still no answer. Next, I tried to contact them on Twitter, on Twitch and by applying to a job listing. No luck here either. Lastly, I remembered that I knew someone in the Norwegian eSports scene. Through I few middlemen I got contact information to someone at ESLGaming, which finally responded!
Once they answered my email they handled the issue very well! Within a day the issue was fixed and they were grateful to be informed about the security issue. I have heard to many stories about companies answering defensive and aggressive when they are informed of security issues. I have to say I was pleasantly surprised of how grateful ESL was when I reached out.
Point of Contact
It should not be necessary to go on a hunt to get a hold of someone. Every website should have a point of contact to inform about security issue. My suggestion is to look at the proposed standard
security.txt and/or have contact information clearly visible on the website.