07-31-2020 14:07
07-31-2020 14:07
Bug #1: Requested to do something which user has no permissions for
When creating a feature post, it asks if you want to upload an image with the post:
But if you attach the image, the request fails and the UI hangs indefinitely. Here's the XHR request:
Bug #2: Missing angular translation
After submitting a feature request, the following is displayed on the success page.
Potential Bug #3: Raw SQL in API requests
You can craft SQL statements in the community API in order to dump a list of users. I wouldn't be surprised if you could do a lot more than that, so it might need some security research.
If you look at the XHR requests in the screenshot from earlier, you'll see a lot of SELECT statements repeating. If you open that page in your browser and edit some parameters, it has no problem with the inputs.
Ex: random 100 user profiles: https://community.fitbit.com/xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+vie...
I tried up to a limit of 1000 and although it takes quite a while to respond, it will indeed return 1000 users. This could potentially be used to DOS the community forums.
07-31-2020 14:50
07-31-2020 14:50
With a limit of 1000, it takes 52 seconds for the server to respond. This is time it's cranking away. 😐
$ curl -o /dev/null -w '%{time_starttransfer}\n' https://community.fitbit.com/xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+view_href+FROM+users+LIMIT+1000 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 363k 0 363k 0 0 6752 0 --:--:-- 0:00:55 --:--:-- 97512 52.607012