OneUptime Unauthenticated Notification API Vulnerability Allows Twilio Phone Number Abuse

A vulnerability exists in OneUptime, an open-source monitoring platform, prior to version 10.0.42. Multiple notification API endpoints are accessible without authentication, while similar endpoints in the codebase properly implement authorization. This vulnerability, combined with a leaked projectId from the public Status Page API, enables an unauthenticated attacker to purchase phone numbers on the victim's Twilio account and delete existing alerting numbers. The issue has been patched in version 10.0.42.

Impact

Exploitation of this vulnerability allows for unauthorized purchases of phone numbers on a victim's Twilio account, with each number costing between $1 and $5. This could lead to financial abuse. Additionally, all owned phone numbers can be deleted, disrupting call-based incident alerting.

Reproduction

The vulnerability can be reproduced by sending a request to the OneUptime notification API endpoints related to phone numbers without authentication. The projectId required for these requests can be obtained from the public Status Page API, which exposes this information. Once the projectId is acquired, it can be used to purchase phone numbers through the vulnerable API endpoint and subsequently delete them, causing disruption to alerting services.

Remediation

Users can update to OneUptime version 10.0.42 or later, where this vulnerability has been patched.