Devguides

Security Issue in the eSport Organization ESL's Website

Devguides -

As a developer I am often curious about how web pages are made. As a result I often look at the network tab in Chrome to see what kind of request are sent between the backend and the frontend. One day I was browsing the ESLGaming's web page when I noticed something out of the ordinary.

Description of the Issue

When I was looking at one of the requests I noticed the following header: authorization: Basic xxxxxxxx. The request was not sent to their own backend but to a SAAS service called bonsai. Looking at the request body I recognized the content as an Elasticsearch query.

{
  "query":{
    "bool":{
      "must":[
        {
          "bool":{
    ...
    ...
    ...
}
Parts of the Elasticsearch query found in the request body

My initial thought was that the instance hosted at bonsai most likely was a limited to only query certain indices or read only. Out of curiosity I had to try a request to the bonsai endpoint to see if they were open to more than just querying data. I sent a GET request to the URL https://xxxxx.bonsaisearch.net/_cat/indices?v with the authorization header set to the same value I found earlier. The _cat/indices endpoint returns information about the status, number of documents, storage size and the names of all the indices on the Elasticsearch instance and I got the following response:

green  open   videos    xxx   1   1      34044        11040    157.7mb         68.4mb

My initial thought were that the token only had read access. I tried to create my own index called test, and to my surprise it worked! The token had read, add, update and delete access to the instance. To clean up after my testing I deleted the test index and decided that I had a proper understanding of the security issue. I didn't want to do something wrong and disturb their services by a mistake, and decided not to examine the issue any further. Next step was to get a hold of someone in ESLGaming's organization.

Contacting ESLGaming

Getting a hold of someone in ESLGaming proved to be harder than I thought. First I used their contact form. A few months passed by without any response to my request, so I tried once more. Still no answer. Next, I tried to contact them on Twitter, on Twitch and by applying to a job listing. No luck here either. Lastly, I remembered that I knew someone in the Norwegian eSports scene. Through I few middlemen I got contact information to someone at ESLGaming, which finally responded!

Once they answered my email they handled the issue very well! Within a day the issue was fixed and they were grateful to be informed about the security issue. I have heard to many stories about companies answering defensive and aggressive when they are informed of security issues. I have to say I was pleasantly surprised of how grateful ESL was when I reached out.

Point of Contact

It should not be necessary to go on a hunt to get a hold of someone. Every website should have a point of contact to inform about security issue. My suggestion is to look at the proposed standard security.txt and/or have contact information clearly visible on the website.