3

I'm using smartystreets to verify address, etc.,. The only setting I'm giving them is the referrer URL.

When I request with postman by passing the correct referrer it works fine.

What if someone supplies the same header from AWS CloudFront and steals my account subscription limits.

Trying to understand how my subscription is protected.

Thanks.

Here is how I could query without a subscription from smartystreets,

URL Used GET with (Referrer: https://smartystreets.com/) Header:

https://us-zipcode.api.smartystreets.com/lookup?auth-id=21102174564513388&agent=smartystreets%20(website%3Ademo%2Fsingle-address%40latest)&city=Tustin&state=CA&zipcode=92780&candidates=5&geocode=true&input_id=0

Exposed Authentication TokenID: 21102174564513388

enter image description here

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Kannaiyan
  • 12,554
  • 3
  • 44
  • 83
  • 1
    Are you using the website key or the secret key pair? – Jeffrey Oct 21 '17 at 19:33
  • Is the request over SSL? If so then the content of the request isn't visible. – David S. Oct 23 '17 at 19:24
  • Press F12 or Alt Opt I and check on network in Browser (Chrome atleast), you can check on whole querystring parameters and post data also that got posted to a given endpoint from the web that made the call. – Kannaiyan Oct 23 '17 at 19:43
  • @DavidShaw Updated the question with the information obtained from smartystreets website. With a bit advanced crawler code, it is very simple to extract smartystreet authentication tokens across web. Smartystreets not only losses business, but also loose reputation from customers with this vulnerability. – Kannaiyan Oct 23 '17 at 20:18
  • 3
    @Kannaiyan, founder of SmartyStreets here. We are very much aware of the concern you raise. While the keys you posted are designed to be public, we recognize that there may be better solutions available. We would be delighted to have you contact us and and have a better discussion around potential solutions to solve this at a more fundamental level. In the meantime, your keys are scoped to your domain only and rate limited based upon the source IP address, among other things. – Jonathan Oliver Oct 24 '17 at 21:33
  • @JonathanOliver I'm impressed with your response in handling a customer. I do definitely find the authorization technology that imposes risk on the customer and no way to protect if it is misused by others when customer is not liable. Customer will also loose confidence with SmartyStreets if they find its tokens is used by someone else and not them. Again with the business experience you can say how customers might have got affected like this. But again if it all happens in one-day, it will be a chaos to fix. – Kannaiyan Oct 25 '17 at 01:24
  • 2
    First and foremost, one of the biggest attack vectors is that of someone stealing your keys and putting them on another website. We protect against this attack vector. Another vector is when they steal your public/shared website key and attempt to script against it outside of the browser. In that case, we also protect against usage by rate limiting based upon IP and a few other metrics that we gather. – Jonathan Oliver Oct 25 '17 at 15:57
  • @Kannaiyan it sounds like it would be helpful for you to have a direct conversation with SmartyStreets: https://smartystreets.com/contact – SunSparc Oct 26 '17 at 15:41

1 Answers1

1

You are correct that if someone managed to steal your domain then they would be able to use your SmartyStreets subscription. The silver lining here is that all requests from browsers that use website keys (which are intended to be used in public, front-facing javascript code) are rate-limited, preventing the number of lookups that can happen. In the event of a stolen domain you could proactively delete the website keys on your account or you could have your SmartyStreets subscription shut down within a matter of minutes to prevent unauthorized access.

More info about website keys and the basics of their security model:

https://smartystreets.com/docs/cloud/authentication

BTW, I'm a back-end engineer at SmartyStreets.

Michael Whatcott
  • 5,603
  • 6
  • 36
  • 50
  • Read the question again. I did not mention about stealing my domain. It is about stealing smartystreet tokens from the url. Also I have specifically mentioned about CloudFront, that you can do it very easily. I did made it bold so that it is clear. – Kannaiyan Oct 23 '17 at 18:31
  • This answer is a good one. SmartyStreets helps protect your account by employing `rate limiting`. Yes, it is easy to spoof your domain, which is why website keys are rate limited. A good additional precaution that you could do to protect your account is to rotate your website key periodically. – SunSparc Oct 23 '17 at 22:45
  • @SunSparc It did not address how can I protect my account even I rotate the keys. The liability is on the consumer not on Smarty Streets. Since you gave an easy option to integrate, it is not protecting the customer if the key is misused. `rate limiting` is good only if it comes from single IP address. If it from distributed and cloud based network, which can be easily done with cloud techs, rate limiting will not work. – Kannaiyan Oct 25 '17 at 01:13
  • 2
    @Kannaiyan A very simple solution would be to extract the API requests from the client and instead run them from a backend server. That way you are not exposing your subscription keys. In that way, the front-end becomes merely an interface while the actually API calls are done server to server, on the backend. – Jeffrey Oct 30 '17 at 17:11