Cyber Security
CBS Last.fm fixes admin password leakage via Symfony profiler
This week, British music streaming service, Last.fm has fixed a credential leakage issue that revealed admin username and password.
The leak had occurred due to a misconfigured PHP Symfony app running in “debug” mode and exposing profiler logs.
With these credentials, an attacker could have accessed and modified Last.fm user account details.
Last.fm web app ran in “debug” mode
Last week, researchers at SecurityDiscovery.com, Sébastien “Seb” Kaul and Bob Diachenko discovered a web app running in “debug” mode.https://googleads.g.doubleclick.net/pagead/ads?guci=2.2.0.0.2.2.0.0&client=ca-pub-3622156405313063&output=html&h=280&slotname=378b174.a42521a&adk=96082032&adf=2134698569&pi=t.ma~as.378b174.a42521a&w=336&lmt=1606488186&psa=1&format=336×280&url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fcbs-lastfm-fixes-admin-password-leakage-via-symfony-profiler%2F%3F%26web_view%3Dtrue&flash=0&wgl=1&adsid=ChAIgIeI_gUQqILZ0vOT1IcXEkwAp_bTzxsfd4LDfWbMeIsmIsw9qQwM5bgH0n70ms5apD2BjI0hMPFf9hWuCvSf6ouCJs9FDOiC94oNpMGC2-S-pwEVG5XaL4spwGdA&uach=WyJXaW5kb3dzIiwiMTAuMCIsIng4NiIsIiIsIjg2LjAuNDI0MC4xOTgiLFtdXQ..&tt_state=W3siaXNzdWVyT3JpZ2luIjoiaHR0cHM6Ly9hZHNlcnZpY2UuZ29vZ2xlLmNvbSIsInN0YXRlIjowfSx7Imlzc3Vlck9yaWdpbiI6Imh0dHBzOi8vYXR0ZXN0YXRpb24uYW5kcm9pZC5jb20iLCJzdGF0ZSI6MH1d&dt=1606580726985&bpp=7&bdt=39479&idt=10&shv=r20201112&cbv=r20190131&ptt=9&saldr=aa&abxe=1&cookie=ID%3D2cf5435d293f309b%3AT%3D1606580692%3AS%3DALNI_Maxtr58OSZzOv_zNMUY1hostJqxAw&prev_fmts=0x0%2C1349x568&nras=2&correlator=8181373360719&frm=20&pv=2&ga_vid=1698274668.1606030711&ga_sid=1606580690&ga_hid=1341170929&ga_fc=0&iag=0&icsg=2894808088576&dssz=58&mdo=0&mso=0&u_tz=330&u_his=1&u_java=0&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=3&u_nmime=4&adx=90&ady=1935&biw=1349&bih=568&scr_x=0&scr_y=1595&eid=42530672%2C21067981%2C21068083%2C21066706&oid=3&pvsid=2329803040575082&pem=736&ref=https%3A%2F%2Fcyware.com%2F&rx=0&eae=0&fc=896&brdim=0%2C0%2C0%2C0%2C1366%2C0%2C1366%2C728%2C1366%2C568&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=8192&bc=31&ifi=10&uci=a!a&fsb=1&xpc=BUhRsnM6gL&p=https%3A//www.bleepingcomputer.com&dtd=42
The web app belonged to CBS-owned Last.fm, a freemium online music streaming service.
When running in debug mode, apps expose data that should remain hidden from the public view, to make troubleshooting easier for developers.
Diachenko said, the misconfigured Symfony app found by Kaul had been exposing “PHPinfo page and profiler logs with credentials.”
If misused, these leaked credentials would have allowed attackers to query each and every Last.fm user for critical info.
Source: Twitter
On taking a closer look at the app, the researchers observed the Last.fm‘s Symfony Profiler logs were exposing multiple administrator usernames, passwords, and secret tokens, shown below in a screenshot shared with BleepingComputer.
Source: Bob Diachenko
“From what we understood it was part of the admin dashboard, allowing [users] to view and edit Last.fm users’ account info and details,” Diachenko told BleepingComputer.
At the time of our testing, BleepingComputer observed the vulnerable endpoints and the admin dashboard were no longer accessible.
Source: Twitter
Researchers spotted leak via IoT search engine
Kaul and Diachenko had spotted Last.fm’s misconfigured web app as a part of their routine research efforts.
“We are now researching misconfigured Sympfony applications and fingerprinting them via IoT search engine(s). The CBSi instances were found as part of this research,” Diachenko told BleepingComputer.https://googleads.g.doubleclick.net/pagead/ads?guci=2.2.0.0.2.2.0.0&client=ca-pub-3622156405313063&output=html&h=280&slotname=35479ba.97b26b4&adk=4279332147&adf=141948622&pi=t.ma~as.35479ba.97b26b4&w=336&lmt=1606488186&psa=1&format=336×280&url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fcbs-lastfm-fixes-admin-password-leakage-via-symfony-profiler%2F%3F%26web_view%3Dtrue&flash=0&wgl=1&adsid=ChAIgIeI_gUQqILZ0vOT1IcXEkwAp_bTzxsfd4LDfWbMeIsmIsw9qQwM5bgH0n70ms5apD2BjI0hMPFf9hWuCvSf6ouCJs9FDOiC94oNpMGC2-S-pwEVG5XaL4spwGdA&uach=WyJXaW5kb3dzIiwiMTAuMCIsIng4NiIsIiIsIjg2LjAuNDI0MC4xOTgiLFtdXQ..&tt_state=W3siaXNzdWVyT3JpZ2luIjoiaHR0cHM6Ly9hZHNlcnZpY2UuZ29vZ2xlLmNvbSIsInN0YXRlIjowfSx7Imlzc3Vlck9yaWdpbiI6Imh0dHBzOi8vYXR0ZXN0YXRpb24uYW5kcm9pZC5jb20iLCJzdGF0ZSI6MH1d&dt=1606580735048&bpp=4&bdt=47542&idt=4&shv=r20201112&cbv=r20190131&ptt=9&saldr=aa&abxe=1&cookie=ID%3D2cf5435d293f309b%3AT%3D1606580692%3AS%3DALNI_Maxtr58OSZzOv_zNMUY1hostJqxAw&prev_fmts=0x0%2C1349x568%2C336x280%2C834x500&nras=2&correlator=8181373360719&frm=20&pv=1&ga_vid=1698274668.1606030711&ga_sid=1606580690&ga_hid=1341170929&ga_fc=0&iag=0&icsg=2894808088576&dssz=59&mdo=0&mso=0&u_tz=330&u_his=1&u_java=0&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=3&u_nmime=4&adx=90&ady=4699&biw=1349&bih=568&scr_x=0&scr_y=4613&eid=42530672%2C21067981%2C21068083%2C21066706&oid=3&psts=AGkb-H-GvyQsYoExIGxZKTLNHGo8T3c6UUmRB1Y8Nm0TK89Cb0w_TYqGBwEHlzpWPwg&pvsid=2329803040575082&pem=736&ref=https%3A%2F%2Fcyware.com%2F&rx=0&eae=0&fc=896&brdim=0%2C0%2C0%2C0%2C1366%2C0%2C1366%2C728%2C1366%2C568&vis=1&rsz=%7C%7CpoeE%7C&abl=CS&pfx=0&fu=8192&bc=31&ifi=12&uci=a!c&fsb=1&xpc=HkY9EH4WB0&p=https%3A//www.bleepingcomputer.com&dtd=21
Last week, Diachenko had asked for everyone’s help in identifying the key person at CBS Interactive for reporting this security issue.
BleepingComputer has reached out to both Last.fm and CBS Interactive for comment but we have not heard back yet.
Although the issue appears to have now been remediated, it does set a precedent for when apps are deployed in production environments.
If not hardened properly, an IoT search engine may eventually index the vulnerable endpoints for the world to view.
Earlier this year, hackers behind the ‘Meow’ attack had wiped almost 4,000 MongoDB databases exposed via IoT search engines.
Attackers have also made extortion threats when unsecured systems are discovered in this fashion.
Ideally, when deploying apps in production environments, debug mode should be turned off to prevent any potential leakage of sensitive data.
Additionally, searching IoT search engines for your company’s IPs may help identify leaks that require urgent attention.