A Note on Squareup’s API.

On Aug 7, 2015 I reported an issue with Square’s API being insecure via the hackerone program.

This is an interesting question for a reader whether the onus of safeguarding and properly escaping the json outputs lie with the developers ?

Here is the complete report

_____________________________________________________________________

Hi there,

I have found that you are not escaping your json outputs properly which enables an attacker to inject malicious code in your inventory (for example) and use that to exploit other apps that rely on square api.

Although I have not tested this extensively on different partner apps, I have at least one proof that it creates xss on postman client working locally.

Sending a simple get request to the URL (whence logged in)

https://squareup.com/api/v1/inventory/list?user_token=F1E6H1YXQB81H

The postman client triggers and XSS because the variable “item variation name” has malicious code.

"item_variation_name": "\"><img src=x onerror=prompt(133)>",

See the screenshot below.

Screenshot_from_2015-08-07_10_49_25

I have debated this extensively whether to report this issue as the onus of safeguarding your API’s lies with the developers. You output “application/json” which makes you api’s safe and immune to xss. However a partner app may consume this api and then output the result as “text/html” causing xss on their end.

Either way, I am filing this bug ensuring that your team is aware of this.

_____________________________________________________________________

It was immediately triaged on Aug 12.

Having found this bug and the slow response from Squareup I decided to probe this further. I found that at least one app was vulnerable due to their improper API escaping and hence I reported the app that was vulnerable to squareup.

On Oct 2nd I got the following response

_____________________________________________________________________

After extensive discussion, we have decided not to implement a fix for this at this time. However, we appreciate interest in Square security and look forward to your next report.

_____________________________________________________________________

I requested a public disclosure on Oct 8th and haven’t heard from since then.

Further request for public disclosures.

  • Oct 8th 2015
  • Oct 29 2015
  • Feb 25 2016

Assuming that it is 6 months since the original report here is my public disclosure.