- Published on
Race Condition vulnerability in Azure Video Indexer allowed trial account users use Advance / Premium feature
- Authors
- Name
- Vikas Anil Sharma
- @vikzsharma
IMPORTANT
Don't leave your organization's security to chance. Contact us for a free consultation on how we can fortify your systems.
VULNERABILITY OVERVIEW
Azure’s Video Indexer offers a feature called "Animated Characters," which helps customers identify and group animated characters in videos. However, trial accounts are limited to one model. Through our research, we uncovered a race condition that allowed trial users to add unlimited animated characters, essentially gaining premium access without paying.
RISK BREAKDOWN
- Risk: High / Important
- Difficulty to Exploit: Medium
AFFECTED URLS
https://api.videoindexer.ai/trial/accounts/$ACCOUNT_ID/Customization/AnimationModels?accesstoken=
STEPS TO REPRODUCE
Step 1. Login using any trial account (e.g vikzsharma@twitter.com) in Videoindexer.ai
Step 2. Navigate to the left tab Model customizations -> Animated Characters
Step 3. Observe , It is strictly mentioned "You can add one model on a trial account".
Step 4. Add a model in the account & observe the validation to allow only one model for trial account users is implemented on the client as well as server side.
Step 5. Start fresh, delete the existing model from the trial account. Navigate to the left tab again Model customizations -> Animated Characters -> Click on Add Model
Step 6. Enable any proxy tool (e.g Burpsuite,mitmproxy) in browser , Enter model name & intercept the POST request ( refer below) & send it to Burp Intruder and then drop the request.
POST /trial/accounts/0c2d9f08-b2d9-4b71-9c4a-1e9d32a70a6a/Customization/AnimationModels HTTP/1.1
Host: api.videoindexer.ai
Content-Length: 27
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
X-Ms-Client-Session-Id: sc9sx7oP0cFv/1o9ffkcUk
Sec-Ch-Ua-Mobile: ?0
Content-Type: application/json
Accept: application/json, text/plain, */*
X-Ms-Client-Request-Id: 49314542-bec2-3930-3a83-5f5667789332
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://www.videoindexer.ai
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.videoindexer.ai/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"name":"Imfirstmodel"}
Step 6. Configure the Burp Intruder with Maxconcurrent request as 300 or 500 or 600 , Add the payload position to the value of "name" parameter which is "Imfirstmodel" in our e.g. . In the payloads option you can set any type of your choice numeric or alphanumeric.
For,testing purpose send 500-1000 names numeric or alphanumeric concurrently.
Step 7. Observe , threads use the same shared memory to update the values of variables on server side ,Therefore we are successful to bypass the security mechanism / authorization in place using the vulnerability known as Race Condition and add N number of models in an trial account.
The intruder has many 201 responses proving N number of the model creations in a trial account bypassing the critical business logic restricting trial users of Azure Video Indexer.
- Trial account with many models :
IMPACT
This race condition vulnerability allowed an Attacker user to Add N number of Models to his/her "Free Trial Account" to be specific which is an advance paid feature of Azure as mentioned in the documentation. (https://docs.microsoft.com/en-us/azure/azure-video-indexer/animated-characters-recognition#limitations).
Financial & as well as reputational loss.
TIMELINES
- Jun 18, 2022 - Case Opened
- Aug 22, 2022 - Issue confirmed - > Changed to Develop Status
- September , 2022 - Fix / HOF.
Why This Matters for Your Business
This vulnerability is a stark reminder of how attackers can exploit even the most trusted platforms, like Azure Video Indexer. This can lead to:
- Unintended Premium Feature Use: Attackers exploiting this could use advanced features without paying, causing revenue loss.
- Reputation Damage: Bypassing security mechanisms damages your credibility as a trusted provider.
Agilehunt can help prevent such threats. With over a decade of experience in penetration testing, cloud security, and application security, we offer a comprehensive suite of services to safeguard your infrastructure:
- Web & API Penetration Testing: Ensure your web apps are secure against the latest attack vectors.
- Cloud Security Audits: Lock down your sensitive cloud infrastructure.
- Network Security Testing: Identify and patch vulnerabilities in your network before malicious actors can exploit them.
At Agilehunt, we believe in proactive security—staying ahead of attackers by identifying and addressing vulnerabilities before they can be exploited.
Protect Your Business Today
Don’t wait for an attack to happen. Contact Agilehunt today to schedule a free consultation and see how we can help safeguard your business.