code100x Mobile API Authentication Bypass Vulnerability Allowing User Impersonation

An authentication bypass vulnerability has been identified in the code100x Mobile API, affecting versions through 90b489e. This vulnerability allows unauthenticated attackers to impersonate any user by sending a manipulated JSON payload in the 'g' HTTP header. The issue arises because the middleware fails to validate the Auth-Key header, enabling the injection of a fake user identity that is trusted by the mobile courses endpoint. As a result, attackers can gain unauthorized access to course data of any enrolled user or administrator.

Impact

Exploitation of this vulnerability allows for unauthorized access to course data by impersonating other users or administrators.

Reproduction

To reproduce this vulnerability, send a request to the mobile courses endpoint with a crafted 'g' header that includes a JSON payload spoofing the identity of an enrolled user or administrator. The request must also include an Auth-Key header, which the middleware will accept without validation, bypassing the normal authentication checks.

Remediation

The vulnerability has been addressed in the code100x repository. Users should update to the latest version.