1. Unauthenticated brute forcing of valid IMEIs
Unauthenticated and authenticated users can brute force a number of different api endpoints in order to determine the validity of certain IMEI ids.
Many of the endpoints mentioned below can be used to do this, but one simple example which does not reveal too much device info, but can still be used to brute force valid IMEI numbers, is a POST request to /Guest/GetLastReportDate, with a POST parameter of gpsId=<IMEI>. This will return the last date that the device reported a location for valid devices, and return nothing for an invalid IMEI.
2. Get list of GPS devices belonging to individual client ids ( and hence, all valid GPSids / IMEIs ) via /Alerts/GetVehicles
An Insecure Direct Object Reference (IDOR) vulnerability exists in the /Alerts/GetClients page, allowing an authenticated attacker to retrieve the devices owned by a particular user/clientId, even if that clientId is not their own. While it does not reveal customer email/other data, it does allow a malicious user to potentially enumerate all valid GpsIds and associate them with an account. Combining this with the additional vulnerabilities mentioned below, an attacker could monitor the gps location for any device owned by any clientId.
3. Leak geofence alerting user phone number / email address via /Geofence/GetMailingList
Attackers can leak the alerting email and phone numbers for any geofence via an IDOR vulnerability in the GetMailingList endpoint. By providing different geofence IDs than their own, the attacker will receive a list of any alerting email and phone numbers for that geofence id in addition to their own alerting contact details.
4. Leak all contact emails and phone numbers via /Geofence/SaveChanges and /Geofence/GetMailingList
There is no limit to the mail ids or phone ids which can be added to an attacker-controlled geofence via the /Geofence/SaveChanges endpoint. As a result, an attacker can add emails and phone numbers which belong to other users, and upon calling /Geofence/GetMailingList for that geofence id, will be able to see the victim user’s email and phone number.This also allows the attacker to enumerate a large subset of usernames, as the default alerting email for accounts is the same as their username/account email.
5. Multiple endpoints allow unauthenticated attackers to get any device position
Endpoint 1: /Guest/SharedDevice
------------------------------------
A POST request to this endpoint does not require any authentication, and will create a publicly accessible map with any valid gps id given.
The token can then be found, activated, and used to get the device history/location.
Endpoint 2: /Guest/GetDevicePositions
------------------------------------
An IDOR vulnerability exists in this endpoint which allows an unauthenticated attacker to retrieve the device position history for any GPS Id.
6. Multiple Endpoints allow authenticated attackers to retrieve information about devices they do not own
There are a number of endpoints which allow authenticated users to access device information for devices they do not own, including real time location data.
Endpoint 1: /GoogleEarth/GetKmlFromSite
------------------------------------
An IDOR vulnerability in this endpoint allows authenticated attackers to retrieve the current and historical location data for any device in the form of a .kml file used in applications like Google Earth.
Endpoint 2: /GoogleEarth/GetNetworkLinkKml
------------------------------------
An IDOR vulnerability exists in this endpoint which allows authenticated attackers to retrieve position information for multiple GPS devices, including those they do not own.
Endpoint 3: /Home/GetPositionsByDate
------------------------------------
An IDOR vulnerability exists in this endpoint which allows authenticated attackers to retrieve position info, by date, for any gps device.
Endpoints 4-7: /Report/DataRead, /Report/DrivingResumen, /Report/ParkingRead, and /Report/HaulRead
------------------------------------
An authenticated attacker can craft POST requests to each of the various report endpoints which allow them to view the location data for gps devices they do not own.
Endpoint 8: /Geofence/GetPositionsByDate
------------------------------------
An authenticated attacker can get the position info, by date, for any gps device with a specially crafted POST request to this endpoint.