Tapping into a telecommunications company’s office cameras

I have a fun little API flaw worth talking about today. An unauthenticated API endpoint in a major telecommunications company’s office camera system allowed me to tap into the image stream and view the live camera feeds. The company in question is a multi-billion dollar telecommunications company and they explicitly requested anonymity if I were to publish any details regarding the exploit.
我有一个有趣的小 API 缺陷，今天值得讨论。一家大型电信公司的办公室摄像头系统中未经身份验证的 API 端点允许我访问图像流并查看实时摄像头源。这家公司是一家价值数十亿美元的电信公司，如果我要发布有关该漏洞的任何细节，他们明确要求匿名。

The Camera Platform 相机平台

The company maintains a custom-built platform/website that certain employees use to manage the camera system. It lets them manage the cameras, download noteworthy “incident” videos, and view the live feeds. It is a React-based platform that interacts with a server using APIs. The website is publicly accessible, but all functionality is locked behind a corporate login page.
该公司维护着一个定制的平台/网站，某些员工使用它来管理摄像系统。它允许他们管理摄像机，下载值得注意的“事件”视频，并查看实时画面。它是一个基于 React 的平台，使用 API 与服务器交互。该网站可公开访问，但所有功能都锁定在公司登录页面后面。

The Flaw 缺陷

Being a React website, it was easy to uncover all the APIs. To protect the identity of the company, details of the actual website code will not be shown, but the website uses source maps which made it very easy to reverse engineer the site and find all the API endpoints. For the most part, the website was properly secured. Almost all API endpoints required a valid authentication token, and I couldn’t find any way around that. I say almost because there was one endpoint that was not secure: the live feeds. It was an event stream that endlessly provided data in a JSON format. You can open it in your browser and be served an infinite loading page:
作为一个 React 网站，很容易发现所有 API。为了保护公司的身份，不会显示实际网站代码的详细信息，但网站使用源映射，这使得对网站进行逆向工程并找到所有 API 端点变得非常容易。在大多数情况下，该网站得到了适当的保护。几乎所有的 API 端点都需要有效的身份验证令牌，但我找不到任何解决方法。我之所以这么说，几乎是因为有一个端点不安全：实时提要。这是一个事件流，它以 JSON 格式无休止地提供数据。您可以在浏览器中打开它，并获得无限加载页面：

I decided to make a quick desktop application to tap into this image stream:
我决定制作一个快速的桌面应用程序来利用这个图像流：

Here is the end result. I took screenshots of the day and night stream:
这是最终结果。我截取了白天和黑夜流的截图：

The cameras were labeled “office”, but it looked more like a warehouse. I was unable to pinpoint exactly where these cameras are located. I also checked in on various days and while I never saw any people, I did notice various items change location, meaning people were definitely working in the area at some point.
这些摄像头被贴上了“办公室”的标签，但它看起来更像是一个仓库。我无法准确确定这些摄像机的位置。我也在不同的日子里入住，虽然我从未见过任何人，但我确实注意到各种物品改变了位置，这意味着人们肯定在某个时候在该地区工作。

Impact 冲击

This was a read-only vulnerability because you could only access the image stream and all other functions required valid authentication. The impact is therefore not critical in severity, but it was definitely an invasion of privacy that needed to be addressed.
这是一个只读漏洞，因为您只能访问图像流，而所有其他功能都需要有效的身份验证。因此，这种影响的严重程度并不重要，但绝对是需要解决的侵犯隐私的行为。

Reporting Timeline 报告时间表

• August 7, 2023: Reported 2023 年 8 月 7 日：已报告
• August 8, 2023: They request more information/proof of concept. I send it along with the desktop application I made.
  2023 年 8 月 8 日：他们要求提供更多信息/概念验证。我把它和我制作的桌面应用程序一起发送。
• August 9, 2023: They open an incident.
  2023 年 8 月 9 日：他们打开了一个事件。
• August 23, 2023: I noticed that authentication has been added to the exposed API. The issue is now fixed (authentication token check was added) and I ask for an update and if they have a bug bounty.
  2023 年 8 月 23 日：我注意到已将身份验证添加到公开的 API 中。该问题现已修复（添加了身份验证令牌检查），我要求更新以及它们是否有错误赏金。
• September 1, 2023: Official confirmation received that the issue is fixed. Still awaiting answer to above question.
  2023 年 9 月 1 日：收到官方确认，该问题已解决。仍在等待上述问题的答案。
• September 18, 2023: I ask for an update.
  2023 年 9 月 18 日：我要求更新。
• October 13, 2023: Official confirmation received that no bug bounty is in place, and the company name should not be attached to any disclosure/report.
  2023 年 10 月 13 日：收到官方确认，没有漏洞赏金，公司名称不应附加到任何披露/报告中。

Lessons / Takeaways 经验教训/收获

The primary lesson to learn from this is: keep track of all your API endpoints and don’t miss any when configuring authentication. While the web page on which the live feed could be reviewed was protected behind a login, the underlying API was unprotected. Always assume your API endpoints are discoverable and protect accordingly!
从中吸取的主要教训是：跟踪所有 API 端点，并且在配置身份验证时不要错过任何端点。虽然可以查看实时源的网页在登录后受到保护，但基础 API 不受保护。始终假设您的 API 端点是可发现的，并相应地进行保护！

原文始发于Eaton：Tapping into a telecommunications company’s office cameras