Bitmoji source code is accessible
Medium
S
Snapchat
Submitted None
Team Summary
Official summary from Snapchat
The Bitmoji rendering service provided directory listings and access to .jar and .class files in some of those directories. Although the top level site returned a `403 Forbidden`, the access control check was not present on subpaths, allowing directory listings, notably at `/WEB-INF/` and `/META-INF/`. While not arbitrary file system access on the rendering service, it did provide a directory listing and access to some sensitive files. We thank the reporter for pointing us to this issue.
Actions:
Reported by
rms
Vulnerability Details
Technical details and impact analysis
hi team,
I'm starting my research on snapchat by scanning all sub-domains on all the domains in-scope: snapchat.com, bitmoji.com, etc.
Let's look at one of the urls, [https://rendering-service.prod.us-east.bitstrips.com/](https://rendering-service.prod.us-east.bitstrips.com/)
When I request `GET https://rendering-service.prod.us-east.bitstrips.com/`
The response is `403 Forbidden`
After searching, I've found [/WEB-INF/](https://rendering-service.prod.us-east.bitstrips.com/WEB-INF/) & [/META-INF/](https://rendering-service.prod.us-east.bitstrips.com/META-INF/) directories, which are accessibles and allow directory listing.
Inside `/WEB-INF/` we have all the .class files of bitmoji, we can download all the files.
Then by using a java decompiler such as `procyon-decompiler` we reverse the .class files to make those readable.
best,
hermès.
## Impact
Source code leaked
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1000.00
Submitted
Weakness
Information Exposure Through Directory Listing