How Deep Recon help me to get critical Bug in Xiaomi

Hello all tech people , I am Muhammad Danial student of Cyber security at University of Derby and CEH v12 Certified .

Introduction:

Xiaomi is a popular Chinese electronics company known for producing smartphones, laptops, and other consumer electronics. Recently, a bug was discovered on Xiaomi’s web servers where the Spring Actuator endpoints were publicly available.

Overview of the Bug:

The Spring Actuator is a set of APIs that provide information about an application’s health, performance, and other metrics. These APIs are typically used by developers and system administrators for monitoring and troubleshooting. However, in the case of Xiaomi’s web servers, these APIs were exposed to the public, allowing anyone with access to the server to view sensitive information about the application’s performance and configuration.

~ Shodan :

Shodan is a search engine designed to find devices that are connected to the Internet. Unlike traditional search engines like Google or Bing, which index web pages and websites, Shodan indexes information about Internet-connected devices, such as servers, routers, webcams, and IoT devices.

i use shodan to find hidden Xiaomi asset to test.

i used this dork : "http.html:mi.com” and “ssl:mi.com”

Then i found some web server running “Spring Actuator” . I collect them and Fuzz their end point for sensitive directory . Then found some cool endpoint which is disclousing sensitive information.

I reported this vai HackerOne and they Fix this issue :

Potential Impacts :

The exposure of the Spring Actuator endpoints could potentially lead to various security risks, including:

Sensitive information disclosure: Attackers could gain access to sensitive information about the application’s configuration, such as database credentials, system properties, and environment variables.Application vulnerability exploitation: Attackers could use the exposed APIs to gain insight into the application’s vulnerabilities and exploit them to gain unauthorized access to the server.Denial of Service attacks: Attackers could use the exposed APIs to launch a Denial of Service attack on the application.

Recommendations :

To mitigate the risks associated with this bug, Xiaomi should take the following steps:

Secure the Spring Actuator endpoints: The exposed APIs should be secured by configuring the server to only allow authorized access to the APIs.Apply regular software updates: Xiaomi should apply regular software updates to the server to ensure that any known vulnerabilities are patched.Perform regular vulnerability assessments: Regular vulnerability assessments should be performed on the server to identify any potential vulnerabilities.

Conclusion :

In conclusion, the exposure of the Spring Actuator endpoints on Xiaomi’s web servers is a serious security risk that should be addressed as soon as possible. By following the recommended steps, Xiaomi can mitigate the risks associated with this bug and ensure the security of their web servers.