WWBN AVideo Unauthenticated Password Verification Vulnerability in API Endpoint Allowing Brute-Force Attacks

A vulnerability exists in WWBN AVideo versions through 26.0, specifically in the 'get_api_video_password_is_correct' API endpoint. This endpoint allows any unauthenticated user to check if a password is correct for password-protected videos. The response includes a boolean 'passwordIsCorrect' value, and the endpoint lacks rate limiting, CAPTCHA, or authentication requirements. This combination enables efficient offline brute-force attacks on video passwords. The vulnerability arises because video passwords are stored in plaintext, and the comparison in the API endpoint uses loose equality, making it susceptible to exploitation.

Impact

Exploitation of this vulnerability allows for the brute-forcing of passwords on any password-protected video, bypassing access controls and potentially exposing sensitive or restricted content. The absence of rate limiting enables attackers to test thousands of passwords per second.

Reproduction

To reproduce this vulnerability, first identify a password-protected video by checking its 'video_password' field. Once a video is confirmed to be password-protected, the 'get_api_video_password_is_correct' endpoint can be called with a guessed password. The response will indicate whether the password is correct. This process can be automated to test multiple passwords quickly, taking advantage of the lack of rate limiting.

Remediation

Users are advised to update to the latest version of WWBN AVideo, where this vulnerability has been patched. Instructions for updating can be found in the AVideo documentation.