Developer vulnerability in Raindrop.io
Good time of day, dear readers!
Today I learned about the interesting site Raindrop.io. I think some of you have already heard about him, so I will explain to those who do not know. This service is a clever storage of bookmarks, a certain analogue of Pocket, but not many realize that its use is not as safe as we would like.
Description from the developer:
Frankly, I was interested in the service. It is absolutely free, there is an application for Android, extensions for browsers, easy to use and convenient. True, not everything is as cool as it seems at first glance. Among all the many advantages there is one very, very vulnerable "BUT"!
After studying the possibilities of the service, I came across one very interesting feature. All bookmarks of each user can be obtained in the form of RSS and for this you only need to know the unique URL of the form: raindrop.io/feeds {key}
where, {key} is a sequence of 6 letters of different case.
')
Without a second thought, I decided to try to get someone else's bookmarks, choosing the right key. After a couple of minutes of searching manually, it was discovered that if the key is correct, then we get a page with user feeds, otherwise, the message “key invalid!” And error 404. Without thinking, it was decided to quickly jot down a small program for selection and not suffer. The elementary task was solved in 5 minutes and a simple console program in C # was already searching for the cherished keys from the storage of other bookmarks and carefully stored them in a file.
I want to note that even using the first 4 characters of my key and leaving the rest to chance, more than 20 unique keys were found in less than 5 minutes. After waiting another 5 minutes, there were about 15 more keys.
It is also important that the server did not block requests, even though they were all from the same IP and were sent to the site without any delay.
Moral: not every feature implemented by the developer for the convenience of using a particular product is safe for user data.
Thank you all for your attention! Be careful when developing new projects.
Today I learned about the interesting site Raindrop.io. I think some of you have already heard about him, so I will explain to those who do not know. This service is a clever storage of bookmarks, a certain analogue of Pocket, but not many realize that its use is not as safe as we would like.
Description from the developer:
Raindrop stores not just bookmarks, but also related content depending on the type of page. If this is an article, it will be cut and saved along with the bookmark. The same goes for the video, photo or presentation. Thus, you can organize thematic collections with different content.
Frankly, I was interested in the service. It is absolutely free, there is an application for Android, extensions for browsers, easy to use and convenient. True, not everything is as cool as it seems at first glance. Among all the many advantages there is one very, very vulnerable "BUT"!
After studying the possibilities of the service, I came across one very interesting feature. All bookmarks of each user can be obtained in the form of RSS and for this you only need to know the unique URL of the form: raindrop.io/feeds {key}
where, {key} is a sequence of 6 letters of different case.
')
Without a second thought, I decided to try to get someone else's bookmarks, choosing the right key. After a couple of minutes of searching manually, it was discovered that if the key is correct, then we get a page with user feeds, otherwise, the message “key invalid!” And error 404. Without thinking, it was decided to quickly jot down a small program for selection and not suffer. The elementary task was solved in 5 minutes and a simple console program in C # was already searching for the cherished keys from the storage of other bookmarks and carefully stored them in a file.
I want to note that even using the first 4 characters of my key and leaving the rest to chance, more than 20 unique keys were found in less than 5 minutes. After waiting another 5 minutes, there were about 15 more keys.
It is also important that the server did not block requests, even though they were all from the same IP and were sent to the site without any delay.
Moral: not every feature implemented by the developer for the convenience of using a particular product is safe for user data.
Thank you all for your attention! Be careful when developing new projects.
Source: https://habr.com/ru/post/243009/
All Articles