CBORD Recludo

Planted 02022-02-13

On finding a full account takeover vulnerability in CBORD.

Bug found: 2022-02-07

This vulnerability has been patched.

I won’t bury the lede; this vulnerability enabled access to any account, meaning:

Access to spend all MUlaa dollars
Access to spend all Meal plan dollars
Access to spend all staff paycheck dollars
Access to all MUlaa, meal plan, and paycheck transaction history
Access to all full names
Access to all phone numbers
Access to all student addresses
Access to all doors
And more…

Erik Johnson, a security researcher and fellow scholar at Miami University, had been poking around the CBORD API to create better shortcuts for unlocking his doors. After looking at the endpoints, I wrote a quick web application to provide easier access for him. However, looking at the request body, there seemed to be many unnecessary items. So I started to remove things to see what was required and discovered what seemed at the time a funny vulnerability: you could generate session ids with just two pieces of public information: a unique ID and institution ID.

I told Erik about this, and it hit Erik before it hit me; he soon called me, telling me to stop poking around. I politely refused and kept exploring.

The methods Erik had documented were getMobileLocations and activateMobileLocation. Part of me wanted to test the DeactivateAccount method, but sometimes methods you think they would have controlled…

It eventually dawned on me. By simply using the proper unique ID, you have access to every single electronically-controlled door on campus: every building door, closet, server room, and the most terrifying of all: every dorm room.

And by calling retrieveUserAddressList you could get any students dorm room.

By calling retrieve you could get first, middle, and last names alongside personal phone numbers.

Worse yet, the proper unique ID was elementary to find. Miami has a public web directory with all students and faculty members’ unique IDs. Unique IDs are also simply their email name. With extreme ease, you could suddenly become the university president or the Director of Building Maintenance.

Even easier, Miami provides physical facility staff pages that list staff responsible for physical facilities.

One could build a map with the information and dorm room of every student—with unlock access.

I decided to open the GET mobile app to see what it enables a student like myself to interact with:

Accounts
Transactions
Rewards
Mobile access to doors
Order food
Email and phone PII

CBORD Card Credentials with GET mobile provides:

Identification
Physical access to buildings and rooms
Payments on and off campus

It’s not just door access. Seemingly, all you needed to order food, view transaction history, get access to doors, and the email and phone number of someone else’s account were two pieces of public information.

It’s not just Miami University. CBORD markets itself to K-12, higher education, healthcare, senior living, and business institutions. This no longer seemed to be a funny vulnerability.

At this point, Erik had already tried to get in contact with CBORD; but, despite his efforts to say he was looking to get in touch with CBORD security, they repeatedly told him they don’t deal with students, and he will have to go through the university administration to contact CBORD.

This vulnerability enabled:

Access to all MUlaa dollars
Access to all Meal plan dollars
Access to all staff paycheck dollars
Access to all MUlaa, meal plan, and paycheck transaction history
Access to all full names
Access to all phone numbers
Access to all student addresses
Access to all doors
And more…

And I found this terrifying.

Erik got in touch with Zack Whittaker, security editor at TechCrunch, to get in touch with the Director of Information Security at CBORD who quickly addressed this vulnerability. Attempting to login with only unique ID now returns “9501|This service consumer is not authorized to perform external authentication”.

TechCrunch article: https://techcrunch.com/2022/03/03/cbord-university-digital-locks/