All product data public available via API

[PaulBoss]

Steps to reproduce

1. Install Magento from develop branch.
2. Enable an integration
3. Use the following URL in your browser: http:///rest/V1/products?searchCriteria[pageSize]=10

Expected result

1. Authentication failed

Actual result

1. A reply with 10 products listed.
   

[fvschie]

Confirmed. Also shows hidden products, including future promotion prices and periods.

[gwillem]

Here's the full list of API methods for a standard install. Most seem to be behind ACL, except for products, storeConfigs etc.

[PaulBoss]

Here's a command to find all the endpoints which can be accessed without authentifcation: find . -name webapi.xml | xargs -i grep -B4 anonymous {} | grep url

Which results in this for a standard install:

<route url="/V1/store/storeViews" method="GET">
    <route url="/V1/store/storeGroups" method="GET">
    <route url="/V1/store/websites" method="GET">
    <route url="/V1/store/storeConfigs" method="GET">
    <route url="/V1/guest-carts/:cartId/gift-message" method="GET">
    <route url="/V1/guest-carts/:cartId/gift-message/:itemId" method="GET">
    <route url="/V1/guest-carts/:cartId/gift-message" method="POST">
    <route url="/V1/guest-carts/:cartId/gift-message/:itemId" method="POST">
    <route url="/V1/guest-carts/:cartId" method="GET">
    <route url="/V1/guest-carts" method="POST">
    <route url="/V1/guest-carts/:cartId" method="PUT">
    <route url="/V1/guest-carts/:cartId/order" method="PUT">
    <route url="/V1/guest-carts/:cartId/shipping-methods" method="GET">
    <route url="/V1/guest-carts/:cartId/estimate-shipping-methods" method="POST">
    <route url="/V1/guest-carts/:cartId/items" method="GET">
    <route url="/V1/guest-carts/:cartId/items" method="POST">
    <route url="/V1/guest-carts/:cartId/items/:itemId" method="PUT">
    <route url="/V1/guest-carts/:cartId/items/:itemId" method="DELETE">
    <route url="/V1/guest-carts/:cartId/selected-payment-method" method="GET">
    <route url="/V1/guest-carts/:cartId/selected-payment-method" method="PUT">
    <route url="/V1/guest-carts/:cartId/payment-methods" method="GET">
    <route url="/V1/guest-carts/:cartId/billing-address" method="GET">
    <route url="/V1/guest-carts/:cartId/billing-address" method="POST">
    <route url="/V1/guest-carts/:cartId/coupons" method="GET">
    <route url="/V1/guest-carts/:cartId/coupons/:couponCode" method="PUT">
    <route url="/V1/guest-carts/:cartId/coupons" method="DELETE">
    <route url="/V1/guest-carts/:cartId/collect-totals" method="PUT">
    <route url="/V1/guest-carts/:cartId/totals" method="GET">
    <route url="/V1/search" method="GET">
    <route url="/V1/customers" method="POST">
    <route url="/V1/customers/:customerId/password/resetLinkToken/:resetPasswordLinkToken" method="GET">
    <route url="/V1/customers/password" method="PUT">
    <route url="/V1/customers/isEmailAvailable" method="POST">
    <route url="/V1/configurable-products/:sku/children" method="GET">
    <route url="/V1/configurable-products/:sku/options/:id" method="GET">
    <route url="/V1/configurable-products/:sku/options/all" method="GET">
    <route url="/V1/guest-carts/:cartId/shipping-information" method="POST">
    <route url="/V1/guest-carts/:cartId/totals-information" method="POST">
    <route url="/V1/guest-carts/:cartId/payment-information" method="POST">
    <route url="/V1/guest-carts/:cartId/payment-information" method="GET">
    <route url="/V1/guest-carts/:cartId/set-payment-information" method="POST">
    <route url="/V1/integration/admin/token" method="POST">
    <route url="/V1/integration/customer/token" method="POST">
    <route method="GET" url="/V1/testmodule1/resource1/:itemId">
    <route url="/V1/products" method="GET">
    <route url="/V1/products/:sku" method="GET">
    <route url="/V1/products/attributes/:attributeCode" method="GET">
    <route url="/V1/products/types" method="GET">
    <route url="/V1/products/attribute-sets/sets/list" method="GET">
    <route url="/V1/products/attribute-sets/:attributeSetId" method="GET">
    <route url="/V1/products/attribute-sets/:attributeSetId/attributes" method="GET">
    <route url="/V1/products/attribute-sets/groups/list" method="GET">
    <route url="/V1/products/attributes/:attributeCode/options" method="GET">
    <route url="/V1/products/media/types/:attributeSetName" method="GET">
    <route url="/V1/products/:sku/media/:entryId" method="GET">
    <route url="/V1/products/:sku/media" method="GET">
    <route url="/V1/products/:sku/group-prices/:customerGroupId/tiers" method="GET">
    <route url="/V1/categories/:categoryId" method="GET">
    <route url="/V1/categories" method="GET">
    <route url="/V1/products/:sku/options" method="GET">
    <route url="/V1/products/:sku/options/:optionId" method="GET">
    <route url="/V1/products/links/types" method="GET">
    <route url="/V1/products/links/:type/attributes" method="GET">
    <route url="/V1/products/:sku/links/:type" method="GET">
    <route url="/V1/categories/:categoryId/products" method="GET">
    <route url="/V1/directory/currency" method="GET">
    <route url="/V1/directory/countries" method="GET">
    <route url="/V1/directory/countries/:countryId" method="GET">
    <route url="/V1/stockStatuses/:productSku" method="GET">

So in short:

• All websites, storegroups, stores and store configuration
• All products (including offline/disabled products, pricing info, special pricing rules, stock information and configuration (!), special pricing info per customer group, etc, e.g. ALL product information, which is a lot more then what is normally visible on the site)
• Possible to bruteforce admin users & passwords via /V1/integration/admin/token (so the random generated admin URL is pretty mood for this case..) (this call is not rate limited)
• The brute forcing is also possible for registered customers via /V1/integration/customer/token

Or am I being too pessimistic here?

[fvschie]

Pretty major security problem, not assigned yet. Any update?

[sshrewz]

Thanks for reporting this issue. We have created MAGETWO-50611 and MAGETWO-50608 tickets internally.

[PaulBoss]

I see the issues are fixed in CE 2.0.3. Thank you for fixing this in a relative short time span.

[KrystynaKabannyk]

Hello @PaulBoss, yes, as you see the issue is fixed now. Thanks for finding and reporting the issue!