VPNOverview’s security team discovered a personally identifiable information (PII) breach affecting users of the Clubster social media app, a Facebook-style app for country clubs and other groups.
Upon auditing the app, we also encountered a couple of potentially catastrophic vulnerabilities. These issues can affect thousands of Clubster users.
PII Breach, Code Insertion, IDOR
We have categorized the issues found in our research as follows:
Clubster App Exposes Members and Guests
Our security team confirmed that 14,271 members and guests at 176 country clubs were accidentally exposed by the Clubster app.
These people had their names and email addresses published on the web. The breach was caused by a leaky Amazon Web Services (AWS) S3 bucket.
Amazon’s Simple Storage Solution (S3) buckets have been causing problems for years. Recently, we found Sephora exposed the personal data of 100,000 customers.
We also found that Grink Inc.’s Switch app leaked 4,765 users’ data and severe issues with gaming giant Sega’s cloud security. Misconfigured S3 bucket permissions were the problem in those cases as well.
Malicious Code Injection Vulnerability
We were able to inject malicious code into Clubster posts and modify the posts of other users. Therefore, it would have been possible for a cybercriminal to steal user accounts and embed malicious scripts in Clubster posts.
Combined with the IDOR vulnerabilities, any user could insert malicious code into any post or group post visible to them.
As proof-of-concept (PoC), we added a malicious script to a post on a target user’s home screen. When we logged in as the target user, the script ran and displayed our session cookie.
We determined we could steal the account of any Clubster user we were friends with, as long as that user had at least one (1) post on their home screen.
We also found vulnerabilities in Clubster’s API, which is a software interface used in modern software development. It is also well understood that APIs are a cybercriminal favorite and that API-related attacks are on the rise.
We found two API endpoints that allowed insecure direct object references (IDOR). This IDOR vulnerability allows users to change other users’ posts. It also lets users change group posts.
To exploit this serious vulnerability, a malicious user needed to capture and change HTTP requests. So to simulate the IDOR attack, we edited one of our posts and captured the HTTP request.
We altered the request and changed the ID to another post. It succeeded, proving we were able to edit other’s posts.
We found two endpoints in Clubster’s API that were affected by an IDOR vulnerability. We were able to edit any user or group post controlled by these endpoints.
|/post/edit||A logged-in user can edit another user’s posts|
|/organization/[group]/post/edit||A logged-in user can edit a group’s posts|
Clubster Breach Timeline
We have organized our breach research timeline as follows;
|VPNOverview’s security team notified Clubster of a PII breach||December 2021|
|VPNOverview’s security team notified Clubster of vulnerabilities||January 2022|
|Clubster closed the PII breach||January 2022|
|Clubster repaired the vulnerabilities||February 2022|
|Clubster updated their app||February 2022|
The Clubster App is Now Secure
Per the above, we notified Clubster, and they closed the PII breach in January 2022. In the next two months, Clubster repaired the rest of the vulnerabilities. Their users are now safe from potential attacks.
Clubster is a social networking app designed for country clubs and other groups. The app has features that enable users to post news, events, and announcements, share material in groups, and create custom events.
Clubster’s team rebuilt their API to close the vulnerabilities in the old version of the app.
Lessons Learned From Clubster’s Vulnerability
Breaches and vulnerabilities can prove to be especially serious in a social media app. Accounts that users would otherwise trust can be used to commit fraud and theft.
And in this case, the victims themselves may be desirable as members of country clubs.
VPNOverview cybersecurity expert Aaron Phillips had this to say: “I think it’s interesting that Clubster recently changed hands. Surely the original developers knew that posts weren’t sanitized and there was no access control in the /edit endpoints. It’s unfortunate the software was sold in that state, and we’re glad this breach was closed instead of exploited.”