🕵️ Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]
Nachrichtenbereich: 🕵️ Sicherheitslücken
🔗 Quelle: vulners.com
Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas {F1278364} For example i got invitation from MrX with Administrator role. When i navigated to MrX account as administrator i found all the menu items except the settings {F1278370} so i tried to navigate to dashboard/#settings and i was able to access MrX's account settings! {F1278399} I tried to use many features but couldn't but found on API Settings --> API Tokens some cool feature allowed me to Refresh API Access Token which is part of a lot of requests (will describe on the impact section) Steps to reproduce: we need 2 accounts - MrX (account owner) - MrMax 1. Using MrX account go to https://streamlabs.com/dashboard#/settings/shared-access and create invitation with administration role, Copy the link 2. Open the link on your other browser which you are logged in as MrMax, accept the invite then click on MrXto access his account {F1278374} 3. You will get message on the top says You are currently acting as MrX, click here to return to MrMax. , now navigate to https://streamlabs.com/dashboard#/settings/api-settings you well see empty Access token field , click on Refresh then yes {F1278380} Done ^ ^ Impact The API Access Token is used in most of API requests and a lot of other places e.g. {F1278381} Here is a list of URLs the token used on , This list represents about 80% of the... ...
📰 Logitech kauft Streaming-Anbieter Streamlabs
📈 33.83 Punkte
📰 IT Nachrichten
📰 Logitech übernimmt US-Firma Streamlabs
📈 33.83 Punkte
📰 IT Nachrichten
🔧 Access Token & Refresh Token: A Breakdown
📈 26.09 Punkte
🔧 Programmierung
💾 Streamlabs OBS 0.19.4 Beta Deutsch
📈 23.54 Punkte
💾 Downloads