Tapping into a telecommunications company’s office cameras
I have a fun little API flaw worth talking about today. An unauthenticated API endpoint in a major telecommunications company’s office camera system allowed me to tap into the image stream and view the live camera feeds. The company in question is a multi-billion dollar telecommunications company and they explicitly requested anonymity if I were to publish any details regarding the exploit.
The Camera Platform
The company maintains a custom-built platform/website that certain employees use to manage the camera system. It lets them manage the cameras, download noteworthy “incident” videos, and view the live feeds. It is a React-based platform that interacts with a server using APIs. The website is publicly accessible, but all functionality is locked behind a corporate login page.
Being a React website, it was easy to uncover all the APIs. To protect the identity of the company, details of the actual website code will not be shown, but the website uses source maps which made it very easy to reverse engineer the site and find all the API endpoints. For the most part, the website was properly secured. Almost all API endpoints required a valid authentication token, and I couldn’t find any way around that. I say almost because there was one endpoint that was not secure: the live feeds. It was an event stream that endlessly provided data in a JSON format. You can open it in your browser and be served an infinite loading page:
I decided to make a quick desktop application to tap into this image stream:
Here is the end result. I took screenshots of the day and night stream:
The cameras were labeled “office”, but it looked more like a warehouse. I was unable to pinpoint exactly where these cameras are located. I also checked in on various days and while I never saw any people, I did notice various items change location, meaning people were definitely working in the area at some point.
This was a read-only vulnerability because you could only access the image stream and all other functions required valid authentication. The impact is therefore not critical in severity, but it was definitely an invasion of privacy that needed to be addressed.
- August 7, 2023: Reported
- August 8, 2023: They request more information/proof of concept. I send it along with the desktop application I made.
- August 9, 2023: They open an incident.
- August 23, 2023: I noticed that authentication has been added to the exposed API. The issue is now fixed (authentication token check was added) and I ask for an update and if they have a bug bounty.
- September 1, 2023: Official confirmation received that the issue is fixed. Still awaiting answer to above question.
- September 18, 2023: I ask for an update.
- October 13, 2023: Official confirmation received that no bug bounty is in place, and the company name should not be attached to any disclosure/report.
Lessons / Takeaways
The primary lesson to learn from this is: keep track of all your API endpoints and don’t miss any when configuring authentication. While the web page on which the live feed could be reviewed was protected behind a login, the underlying API was unprotected. Always assume your API endpoints are discoverable and protect accordingly!