# AnySwap.net Report Hi Anyswap team! I found two security vulnerabilities inside the API of anyswap.net (netapi.anyswap.net) and both has a High severity impact. The first one allow me to obtain access to user' private data, such as: E-mail, TGUser, Enode and the RPC url. The second allow me to modify the node data of any user by knowing their wallet address (this can be found at network tab in the anyswap website). ## 1. Disclosure of User' Private Data ### Description This vulnerability occurs because the all information about the users are sent to the main application, when sending a POST request to the endpoint `https://netapi.anyswap.net/nodes/dtils` and supplying an address of registered user. The image below illustrates the send of the request with an invalid address: ![](https://i.imgur.com/elK99SD.png) The next image shows the response returned by the API after sending the same request with a valid user: ![](https://i.imgur.com/dD6aIJZ.jpg) As we can see above, the user' private information is also returned. It's important to mention that this behaviour also occurs when visiting the `/network` tab in anyswap, however only the `Node Name, Owner, Node Type, Run Days, Version, Staking` and `Online` fields are used. ![](https://i.imgur.com/GBbd0Qd.png) ### Impact Attackers can obtain access to these private information by sending requests to the `/nodes/dtils` API endpoint or simply visiting the `/network` tab at anyswap.net main application. ### Fix It's recommended to only return the data that will be used by the application, such as the fields `Node Name, Owner, Node Type, Run Days, Version, Staking` and `Online`. ## 2. Modify user' node data due to lack of access control mechanism ### Description This vulnerability has a bigger impact as unhauthenticated users can modify the entire data (`name, email, tguser` and `enode`) of a user. This vulnerability exists because there is no any kind of access control mechanism to verify if the user that is doing the action is the same user of the data modification. To exploit this vulnerability, the attacker must have a valid MPCNode running in order to sucessfuly change the data of a user (as the API asks for some valid response when fetching the RPC Node). ### Steps to Reproduce For this scenario, the user `0xF97CCCe5a6686FE9AC10200140dE777b60Efc130` is the victim and will have their data changed by the anonymous attacker. I'm also using the same address of the MPC Node, however, with a new enode endpoint. 1. Create a new MPCNode 2. Choose the victim. In this case, we can get their address in the `/network` tab at anyswap.net ![](https://i.imgur.com/iDSfSyY.png) 3. When fetching the current victim' data we can see the following: ![](https://i.imgur.com/Q5NRe4T.png) 4. The attacker now, must send the following request to modify the victim' data: ![](https://i.imgur.com/ShL7quk.png) 5. The image below illustrates the request with the modified data sent by the attacker. Here we can see the OK status, meaning the modification: ![](https://i.imgur.com/z2n0P1Y.png) 6. When requesting again the data of the victim, we can confirm the modification: ![](https://i.imgur.com/DlYTd8T.png) 7. The same occurs on the `/network` tab in anyswap.net: ![](https://i.imgur.com/zGlTE4O.png) ### Impact Attackers can use this vulnerability to modify the entire data of the Nodes on the anyswap or use this information to make phishing attacks, as their can control the TGUsername of the victim and uses it to pass by the legit Node Owner. ### Fix It's necessary to sign all the data when updating/creating via Metamask to confirm that the modification was made by the user.