This report was fully disclosed on 25 August 2021

On 25 August 2021 A VirusTotal API key belonging to a Technical Lead at Bitdefender was exposed online and reported to Bitdefender. Additionally a hybrid analysis API key was also exposed, please refer to GWA-2021-043 for more information.

Impact:​ An attacker has full access to the impacted account and all data available within it. The confidentiality and integrity of the data available to this user is severely affected.

About BitDefender: “We are led by a vision to be the most trusted cybersecurity technology provider in the world, which means we constantly anticipate, innovate and go the extra mile.”

Proof of Concept

The API key in question is as follows: 65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2

Using the the VirusTotal API documentation we can test various premium API features to check the validity of our API key. For simplicity of verification we can retrieve the user information of the owner of the API key.

/users/{id} This endpoint retrieves information about a user, including the privileges and quotas associated to the user. The user can be retrieved either by user ID or by API key, but the latter only works if the requester is the user himself or an administrator of a group the user belongs to.

Request:

GET /api/v3/users/65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2 HTTP/2
Host: www.virustotal.com
User-Agent: Hacker/7.23
Accept: application/json
X-Apikey: 65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2

Response:

HTTP/2 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
X-Cloud-Trace-Context: 3acddf5745553c17059ed592056a18c2
Date: Wed, 25 Aug 2021 09:56:36 GMT
Server: Google Frontend
Content-Length: 6022

{
    "data": {
        "attributes": {
            "status": "active",
            "first_name": "Alexandru",
            "apikey": "65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2",
            "preferences": {
                "graph": {
                    "main_walkthrough_version_seen": "1.0.0",
                    "last_visit": 1599071199348
                },
                "ui": {
                    "last_read_notification_date": 1606827760
                }
            },
            "privileges": {
                "downloads-tier-2": {
                    "granted": true,
                    "inherited_via": "api_quota_group",
                    "inherited_from": "bitdefender"
[..]
            "has_2fa": false,
            "last_name": "Bucevschi",
            "last_login": 1618259446,
            "user_since": 1507189177,
            "email": "[email protected]",
            "reputation": 1
        },
        "type": "user",
        "id": "abucevschi",
        "links": {
            "self": "https://www.virustotal.com/api/v3/users/abucevschi"
        }
    }
}

User Info Screenshot

Additionally all other API features are available to us. This includes but is not limited to…

  • Modification of the users profile information
  • Complete impersonation of the user on the platform
  • Access to group and user information such as a full list of administrative users and a full list of all users belonging to the same group
  • Exposer of sensitive information such as organization specific project and research data.
  • Access to all other paid premium features of the VirusTotal API.

The risk to both the confidentiality and integrity of data available within the users VirusTotal account is high. Additionally there is a risk to the availability of the API as it is possible for a user to perform resource exhaustions causing a denial of service to other users.

Discovery

This API key was discovered within a github repository belonging to the user alex-bucevschi. The specific file that exposed the API key can be found here

Github Screenshot

  • Immediately Revoke the affected API Key
  • Review applicable logs for signs of unauthorized usage
  • Educate the affected user on proper developmental security practices and secret storage

Remediation Status

As of 25 August the affected API Key has been revoked and the user account deleted.

A relatively small bug bounty payout was offered, however the payout was never received and no further communication from Bitdefender has occurred.

Response From [email protected]

On Wednesday, August 25th, 2021 at 11:46 AM, Marius Ionut GHERGHINOIU [email protected] wrote:

Hi,

Thank you for the report. We will review it shortly.

I will keep you updated.

Kind regards

Response From [email protected]

On On Wednesday, August 25th, 2021 at 3:06 PM, Marius Ionut GHERGHINOIU [email protected] wrote:

Hi,

We reviewed the report and we can confirm that the exposed API key belongs to one of our employees. It was revoked and the repo was made unavailable.

The impact of this finding is minimal, but we still decided to reward your work with $200.

In order to complete the payment, we need the following information: full name, mail address, account number, bank name, bank address, and SWIFT code.

Waiting for your banking info,

Kind regards.

Timeline

  • 25 August 2021: Affected Party Notified
  • 25 August 2021: Report Published (+0 days)