This report was fully disclosed on 25 August 2021

On 25 August 2021 A VirusTotal API key belonging to a Technical Lead at Bitdefender was exposed online and reported to Bitdefender. Additionally a hybrid analysis API key was also exposed, please refer to GWA-2021-043 for more information.

Impact:​ An attacker has full access to the impacted account and all data available within it. The confidentiality and integrity of the data available to this user is severely affected.

About BitDefender: “We are led by a vision to be the most trusted cybersecurity technology provider in the world, which means we constantly anticipate, innovate and go the extra mile.”

Proof of Concept

The API key in question is as follows: 65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2

Using the the VirusTotal API documentation we can test various premium API features to check the validity of our API key. For simplicity of verification we can retrieve the user information of the owner of the API key.

/users/{id} This endpoint retrieves information about a user, including the privileges and quotas associated to the user. The user can be retrieved either by user ID or by API key, but the latter only works if the requester is the user himself or an administrator of a group the user belongs to.

Request:

GET /api/v3/users/65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2 HTTP/2
Host: www.virustotal.com
User-Agent: Hacker/7.23
Accept: application/json
X-Apikey: 65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2

Response:

HTTP/2 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
X-Cloud-Trace-Context: 3acddf5745553c17059ed592056a18c2
Date: Wed, 25 Aug 2021 09:56:36 GMT
Server: Google Frontend
Content-Length: 6022

{
    "data": {
        "attributes": {
            "status": "active",
            "first_name": "Alexandru",
            "apikey": "65ab94828df7631140f1e36806589c65962a9e96cae3348cfdbc5612b2b4b3e2",
            "preferences": {
                "graph": {
                    "main_walkthrough_version_seen": "1.0.0",
                    "last_visit": 1599071199348
                },
                "ui": {
                    "last_read_notification_date": 1606827760
                }
            },
            "privileges": {
                "downloads-tier-2": {
                    "granted": true,
                    "inherited_via": "api_quota_group",
                    "inherited_from": "bitdefender"
[..]
            "has_2fa": false,
            "last_name": "Bucevschi",
            "last_login": 1618259446,
            "user_since": 1507189177,
            "email": "[email protected]",
            "reputation": 1
        },
        "type": "user",
        "id": "abucevschi",
        "links": {
            "self": "https://www.virustotal.com/api/v3/users/abucevschi"
        }
    }
}

User Info Screenshot

Additionally all other API features are available to us. This includes but is not limited to…

  • Modification of the users profile information
  • Complete impersonation of the user on the platform
  • Access to group and user information such as a full list of administrative users and a full list of all users within the organization.
  • Exposer of sensitive information such as organization specific project and research data.
  • Access to all other paid premium features of the VirusTotal API.

The risk to both the confidentiality and integrity of data available within the users VirusTotal account is high. Additionally there is a risk to the availability of the API as it is possible for a user to perform resource exhaustions causing a denial of service to other users.

Discovery

This API key was discovered within a github repository belonging to the user alex-bucevschi. The specific file that exposed the API key can be found here

Github Screenshot

  • Immediately Revoke the affected API Key
  • Review applicable logs for signs of unauthorized usage
  • Educate the affected user on proper developmental security practices and secret storage

Remediation Status

As of 25 August the affected API Key has been revoked and the user account deleted.

Response From [email protected]

On Wednesday, August 25th, 2021 at 11:46 AM, Marius Ionut GHERGHINOIU [email protected] wrote:

Hi,

Thank you for the report. We will review it shortly.

I will keep you updated.

Kind regards

Response From [email protected]

On On Wednesday, August 25th, 2021 at 3:06 PM, Marius Ionut GHERGHINOIU [email protected] wrote:

Hi,

We reviewed the report and we can confirm that the exposed API key belongs to one of our employees. It was revoked and the repo was made unavailable.

The impact of this finding is minimal, but we still decided to reward your work with $200.

In order to complete the payment, we need the following information: full name, mail address, account number, bank name, bank address, and SWIFT code.

Waiting for your banking info,

Kind regards.

“Illustrious attention whore” -Alex “Jay” Balan, Director of Security Research at Bitdefender Labs

Response From [email protected]

On Thursday, September 9th, 2021 at 2:41 PM, Marius Ionut GHERGHINOIU [email protected] wrote:

Hello there,

We took this opportunity to do a thorough analysis of what can be done with a Bitdefender VT api key and the impact is really less than you would expect. The account was one of many low privilege accounts and, worst case scenario, you could have exhausted its file download quota, listed the graphs made by other Bitdefender users and list the Bitdefender users on the platform. Everything else (hunt rules, comments, etc) is strictly specific to that one user.

I’ll grant you that an exposed API key on a github repo outlined a bad practice that chained a number of other immediate actions and reviews internally but, thankfully, the potential damage this particular exposure could have caused is minimal.

We thank you for bringing this to our attention and sincerely hope you’ll continue hunting for other potential vulnerabilities in our products and infrastructure.

Our proposal for $200 reward remains valid, so in order to complete the payment, we need the following information: your full name, your mail address, account number, bank name, bank address, and SWIFT code.

Kind regards,

On Fri, 27th Aug 2021 at 9:30 am, Jay wrote:

E excelent. We’ll take it from here.

Thanks, — Jay

On 26 Aug 2021, at 15:03, Mihai LEONTE [email protected] wrote:

Hello,

Here’s what we know:

Daca ai un api key la VirusTotal poti accesa api-ul lor: https://developers.virustotal.com/v3.0/reference#overview

Ei ( VT ) ofera acces public ( in principiu oricine isi poate face cont limitat ) sau premium. Api-ul premium ofera in plus acces la o serie de rute cu doua tipuri de key: normal si de administrator.

Bitdefender are contract semnat cu VT si printre beneficii se numara si acces la platforma si api premium oricarei adresa de mail @bitdefender.com in limita quotelor stabilite prin contract.

Key-ul asta leaked despre care vorbim este de tip normal cu acces la api-urile prepmium ale VT ( datorita contractului - ce ziceam mai sus )

Ce poate sa faca cineva cu un astfel de api key:

  • sa interogheze resure ( md5/ip/url/samd ) din VT din Quota Bitdefender
  • sa descarce fisiere de pe VT din Quota Bitdefender
  • sa vada graph-uri facute de alti useri Bitdefender pe VT
  • sa vada curent quota usages pentru user-ul curent
  • sa vada curent quota usages pentru compania Bitdefender pe VT
  • sa vada si sa modifice eventuale actiuni DOAR ale acelui user : reguli de hunt, comment, samd
  • sa vada detalii despre grupul Bitdefender pe VT si ce contract are
  • sa vada lista de useri Bitdefender din platforma impreuna cu detalii de genul: username
  • sa vada lista de admini pentru compania Bitdefender pe VT : username ( asa a stiut pe cine sa puna la mail )

Problemele legate de usage de resurse/queries/downlaod fisiere si ce pica in zona asta noi le-am fi descoperit repejor ( cateva zile ) daca contul ar fi inceput sa fie abuzat - pentru ca unele procese interne ce se folosesc de aceste API-uri ne-au fortat sa punem in place unele monitorizari pe quotas in directia asta ( sa nu se faca prea multe calls, downlaods de fisiere samd ). Deci pe partea asta am putea zice ca impactul e minimal ( este doar query si l-am fi gasit daca insista )

Ce ar fi mai problematic pentru noi: faptul ca poate sa vada unele detalii despre companie si sa faca harvesting de usernames ( si sa deduca adrese de mail, samd ) pentru admini si angajati de la noi.

Ar trebui sa investigam daca si cum se pot forta regenerari periodice de api keys pentru toti userii BD de acolo pentru ca daca cineva are un key leaked si nu face zgomot in momentul de fata nu stiu cat de usor ne dam seama.

La adresa asta: https://bitdefender-my.sharepoint.com/:f:/g/personal/npostolachi_ias_bitdefender_biz/EpOdCI3OZZlDsbuBHvbune8BgPRaZSS2J_CEdjJKsC6pWQ?e=945Uma

Sunt cateva exemple de raspunsuri pe care le-ar fi primmit de la api-ul VT cu acel api key pentru cateva din situatiile de mai sus ( vedeti in special partea de reguli care e user specific si partea de usernames )

Daca mai putem ajuta cu ceva aici please let us know.

Multumesc.

From: Alex BALAN [email protected] Date: Wednesday, August 25, 2021 at 8:40 PM To: Mihai LEONTE [email protected] Cc: [email protected] [email protected], Dragos Teodor GAVRILUT [email protected], Nicolae POSTOLACHI [email protected], Mihai Razvan BENCHEA [email protected], Sorin Victor DUDEA [email protected] Subject: Re: GWA-2021-042: Exposed VirusTotal API Key

++la ultimul paragraf răspundem noi. Voi să ne dați oficial răspunsul la primele 2 :)

   On 25 Aug 2021, at 20:38, Alex BALAN <[email protected]> wrote:

    
   Noi știm ce e acolo dar formularea răspunsului trebuie să vină, formal, de la voi și noi o dăm mai departe. Pentru că voi sunteți cei mai în măsura să spuneți ce se putea face cu cheile alea.

    
   Așa că dați-ne, vă rugăm, un răspuns pentru acest ilustru attention whore

    
   --
   Jay

Timeline

  • 25 August 2021: Affected Party Notified
  • 25 August 2021: Report Published (+0 days)