Summary
A vulnerability was identified in the DIFY where normal users is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for normal user. This access control flaw allows non-admin users to make unauthorized access and changes on the APPSs
The purpose of APP orchestration in DIFY AI involves defining and managing workflows, prompts, and integrations that make up an AI application. This orchestration is achieved through a visual interface and the use of Domain-Specific Language (DSL) YAML files, allowing developers to:
- Create and manage prompts: Design and refine the prompts that guide AI responses.
- Integrate various tools and services: Connect with APIs, databases, and other external services.
- Define workflows: Set up the sequence of operations and decision points within an AI application.
Affected endpoint
- /app/{app.id}/workflow
- /app/{app.id}/workflow/*
PoC
This access control flaw is not intended by the DIFY design, as only admin users have the access to the APP orchestration (in the WEB UI appearance) but it was found that normal user was able to access the APP orchestration and made modification.
-
In the normal user Web UI, there is no Orchestration on the APP
-
Exploited the vulnerability to access the Orchestration of the APP
-
Even with access, modification, and the ability to publish, the app.
Recommendation
To mitigate this issue, update the access control mechanisms to enforce stricter user role permissions. Normal users shouldn't be access and modify the the Orchestration of the APPs. Implement and review role-based access controls (RBAC) to ensure that only users with admin privileges can access Orchestration of the APPs.
Impact
API Key Theft and Abuse: Unauthorized users can steal embedded API keys, such as those for OpenAI, DALL-E, StableDiffusion, and Judge0 CE leading to misuse and potential financial loss due to unauthorized usage of paid services. A normal user could extract the OpenAI API key and use it to make large numbers of requests, incurring costs for the legitimate owner.
Application Misuse and Data Theft: Users can alter the application's logic to access restricted data, perform unauthorized actions, or exfiltrate sensitive information. Changing the workflow to bypass security checks or retrieve sensitive information from databases.
Service Disruption and Manipulation: Unauthorized modifications can disrupt service functionality, degrade performance, or introduce vulnerabilities. Altering prompts or workflows to introduce infinite loops or trigger excessive resource consumption.
Intellectual Property Theft: Users can export the application's DSL files and replicate proprietary logic or algorithms in their own projects. A competitor could steal a custom AI model's orchestration logic and use it to develop a competing product.
Further Analysis - Threat Research Information – Live Vulnerable Instances on The Internet
We performed threat research analysis on the internet to discover vulnerable live instances, using the HTTP response of the DIFY-AI application as an indicator. Based on the OSINT results from the Censys and Shodan a total 3894 instances were found to be publicly accessible on the internet. They are potentially vulnerable to the number of vulnerabilities that we reported. If performing active reconnaissance on the internet might potentially uncover more instances.
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)
Summary
A vulnerability was identified in the DIFY where normal users is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for normal user. This access control flaw allows non-admin users to make unauthorized access and changes on the APPSs
The purpose of APP orchestration in DIFY AI involves defining and managing workflows, prompts, and integrations that make up an AI application. This orchestration is achieved through a visual interface and the use of Domain-Specific Language (DSL) YAML files, allowing developers to:
Affected endpoint
PoC
This access control flaw is not intended by the DIFY design, as only admin users have the access to the APP orchestration (in the WEB UI appearance) but it was found that normal user was able to access the APP orchestration and made modification.
In the normal user Web UI, there is no Orchestration on the APP
Exploited the vulnerability to access the Orchestration of the APP
Even with access, modification, and the ability to publish, the app.
Recommendation
To mitigate this issue, update the access control mechanisms to enforce stricter user role permissions. Normal users shouldn't be access and modify the the Orchestration of the APPs. Implement and review role-based access controls (RBAC) to ensure that only users with admin privileges can access Orchestration of the APPs.
Impact
API Key Theft and Abuse: Unauthorized users can steal embedded API keys, such as those for OpenAI, DALL-E, StableDiffusion, and Judge0 CE leading to misuse and potential financial loss due to unauthorized usage of paid services. A normal user could extract the OpenAI API key and use it to make large numbers of requests, incurring costs for the legitimate owner.
Application Misuse and Data Theft: Users can alter the application's logic to access restricted data, perform unauthorized actions, or exfiltrate sensitive information. Changing the workflow to bypass security checks or retrieve sensitive information from databases.
Service Disruption and Manipulation: Unauthorized modifications can disrupt service functionality, degrade performance, or introduce vulnerabilities. Altering prompts or workflows to introduce infinite loops or trigger excessive resource consumption.
Intellectual Property Theft: Users can export the application's DSL files and replicate proprietary logic or algorithms in their own projects. A competitor could steal a custom AI model's orchestration logic and use it to develop a competing product.
Further Analysis - Threat Research Information – Live Vulnerable Instances on The Internet
We performed threat research analysis on the internet to discover vulnerable live instances, using the HTTP response of the DIFY-AI application as an indicator. Based on the OSINT results from the Censys and Shodan a total 3894 instances were found to be publicly accessible on the internet. They are potentially vulnerable to the number of vulnerabilities that we reported. If performing active reconnaissance on the internet might potentially uncover more instances.
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)