After OpenAI had fixed a critical vulnerability reported by @naglinagli, a line caught my attention: "..instruct the caching server to not catch the endpoint through a regex (this is the fix @OpenAI chose)"
I knew something was wrong with the fix & decided to give it a look..π
I knew something was wrong with the fix & decided to give it a look..π
Having fixed similar issues, I knew this was the wrong fixβso I dug deeper into the Auth API..without success.
I thought the cache deception was fixed. But a bypass attempt that failed on the Auth API worked on another API-giving access to all conversations' titles of a user π
I thought the cache deception was fixed. But a bypass attempt that failed on the Auth API worked on another API-giving access to all conversations' titles of a user π
here I thought all I could find was a bypass to read someone's conversation titles β which is still bad but not as bad as taking over accounts, correct?
To explain the previous image, we are getting a "HIT" cache status of an API request (not a static file).
This means an "API" request is cached since Cloudflare thinks this is a static file request that needs to be cached.
Hence you can forge an exploit based on a URL like:
This means an "API" request is cached since Cloudflare thinks this is a static file request that needs to be cached.
Hence you can forge an exploit based on a URL like:
GET /backend-api/conversations%0A%0D-testtest.css?offset=0&limit=20
Send it to a victim, and upon accessing it β his own "API" response will be cached, and if you recheck the same URL (i.e. fetching the cached response of the victim), you will be able to see the victim's HTTP response, which contains the conversations' titles.
Send it to a victim, and upon accessing it β his own "API" response will be cached, and if you recheck the same URL (i.e. fetching the cached response of the victim), you will be able to see the victim's HTTP response, which contains the conversations' titles.
This is called a cache deception attack (more details omergil.blogspot.com).
With this finding in hand, I decided to report it to the OpenAI team and got the following response back:
With this finding in hand, I decided to report it to the OpenAI team and got the following response back:
Then I went back and started looking again.. It bothered me a bit that I couldn't bypass that Auth API and all I reported was reading a user's conversation titles.
Then I'll just call it a night, probably?
Then I'll just call it a night, probably?
Now getting to the juicy partβthere is more to it.
I found a new vector to bypass the fix of the original account takeover attack π±
I thought the %0A%0D payload would also work on the Auth API but that wasn't the case:
I found a new vector to bypass the fix of the original account takeover attack π±
I thought the %0A%0D payload would also work on the Auth API but that wasn't the case:
Loading suggestions...