This report was fully disclosed on 19 August 2020

Summary

An IP address appearing to be managed by “Volly” formally SoftVu/LoyaltyExpress and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.

Volly is described as “the mortgage and banking industries’​ most innovative component-based platform that seamlessly integrates marketing and customer engagement strategies with robust lending technologies.”

Proof of Concept

The IP address in question is 18.216.123.147:8080. Simply opening the affected target in a web browser reveals sensitive information such as the slack token shown at /admin/variable/. Additionally no authentication is required to make modifications within Apache Airflow.

Viewing the affected target reveals several pieces of sensitive data, including but not limited to the following slack token xoxb-116199269811-LPKzljDYdXJIpD175PdQmFOO.

Using the auth.test slack api function we can determine the token is for softvu.slack.com as shown at https://slack.com/api/auth.test?token=xoxb-116199269811-LPKzljDYdXJIpD175PdQmFOO&pretty=1.

Screenshot of Volly's slack token at auth.test

Visiting softvu.slack.com reveals to two domains, @softvu.com and @loyaltyexpress.com, both of which now redirect to myvolly.com. Screenshot of Volly's slack page

Additionally using the users.list slack api function reveals 119 email addresses all ending with either @myvolly.com, @softvu.com, or @loyaltyexpress.com.

With the above information extracted from the exposed slack token we can confidently asses that the asset likely belongs to Volly. While additional authentication tokens were exposed on several different pages, include DAG code, only the slack token’s validity was verified.

It is also important to note that in addition to sensitive information disclosure it is also possible to make modifications and perform actions as an administrative user on the Apache Airflow instance. This could lead to remote code execution, denial of service, or additional sensitive information exposure.

Screenshot of Volly's airflow variables page Screenshot of an airflow dag's code that reveals additional tokens
  • Implement proper access controls.
  • Revoke exposed credentials and tokens.
  • Review access logs for all exposed services and credentials to ensure no unauthorized access has been detected.

Remediation Status

According to uptime robot the slack token was revoked as of 2020-08-19 21:50:05. Additionally the exposed airflow interface was taken down as of 2020-05-16 20:47:49.

Screenshot of uptime robot tracking slack token authentication validity

Response From Affected Party

No Response has been received

Timeline

  • 7 February 2020: Affected Party Notified
  • 19 August 2020: Affected Party Released Patch (+194 days)
  • 19 August 2020: Report Published (+194 days)