Hey! Welcome to my first blog post. On this blog you can expect to see me ramble on about my research and findings, aswell as other peoples research and adding on where I can! I may ramble on a bit, but I hope you enjoy. If you have any questions or suggestions, please email me at d@daley.cc :)

How I owned the BBC with a simple misconfiguration due to human laziness

  • Target: BBC - Twitter Facebook Website
  • Vulnerability: Misconfiguration
  • Severity: 10
  • Status: Patched
  • Bounty (if applicable): $10 (Not joking - I wish I was)

Hey! Welcome to the first post on my blog, titled "How I owned the BBC with a simple misconfiguration due to human laziness". In this post I will run through, and explain how I managed to breach the BBC's developer portal and have full control of 2500 API's, ranging from mobile applications, to websites (including the news - bbc.co.uk & bbc.com) and all the way to the radio.

Enough rambling, let's jump into the post, shall we?!

It all started one day when I was bored, and as curious as always. I was taking part in some bug bounty programs the day before with my friend Derp, where we had managed to perform some subdomain takeovers. That being said, I decided to see if I could takeover any BBC subdomains.. I started by enumerating subdomains for bbc.co.uk by using a script coded by Ahmed Aboul-Ela (@aboul3la) called Sublist3r, which is publicly downloadable, here: https://github.com/aboul3la/Sublist3r.

With Sublist3r being an amazing script, it goes very in-depth regarding looking for subdomains - just to list a few things it does: it searches in public search engines such as Yahoo, Google, Bing etc.. and searches in DNSdumpster, Virustotal, ThreatCrowd & more. This being said, there was bound to be alot of results, so I just straight-up ran the list of 730~ bbc.co.uk subdomains through SubJack but I got no results. It was not possible to take over any of the domains - after realizing this, I decided I'd do some manual auditing, and try find vulnerabilities running on these sub-domains themselves.

What I did first was run the list of subdomains through a script made by my good friend Corben, called alive-host which is a simple bash script that uses nmap to verify whether a host is alive or not - doing this narrowed down what subdomains are alive, saving me from wasting a tonne of time trying to browse to dead subdomains.

After browsing quite a few of the sub-domains, I came across a few that were outputting errors in JSON. This got me intrigued. What were they doing? After some research of the error message below, I found out they were using a 3rd-party API management software & analytics predicter, named APIgee. I decided it was time to look deeper.

{"fault":{"faultstring":"Unable to identify proxy for host: default and url: \/v1\/","detail":{"errorcode":"messaging.adaptors.http.flow.ApplicationNotFound"}}}

I started fresh with all the sub-domains that were outputting these JSON errors. I searched and I searched, I scanned and I scanned, I waited and I waited.. nothing. I could find nothing vulnerable on these subdomains, they were running literally nothing. So, it was time to test the final sub-domain running this what seemed to be API management software - I ran tonnes of scripts, hoping to find something.. anything.. nothing. I stared at the error message again..

{"fault":{"faultstring":"Unable to identify proxy for host: default and url: \/v1\/","detail":{"errorcode":"messaging.adaptors.http.flow.ApplicationNotFound"}}}

What caught my eye was the following:

 default and url: \/v1\/

It would seem the server was configured to have a proxy run to the directory /v1/ - but this was not setup. This error intrigued me so I decided to browse to /v1/ to see what was displayed.. when I browsed to /v1/, the server replied with the following data:

[null,"Basic YXBpQGJiYy5jby51azpEVmM3VG5MSm9Z[REDACTED]="]

The data the server replied with is clearly a Base64 string which when decoded, is:


I said to myself: 'surely not'. I browsed to APIGee and tried logging in with the details.. what'd you know? The login was successful and I'm logged into the administrator account with control over all of the BBC's API's due to a simple misconfiguration, which I'm assuming came down to human laziness to setup a simple proxy. Due to this tiny misconfiguration caused by human laziness, thousands of employee developer's full names, personal email addresses, employee ID's, private products & applications and more were exposed.

Inside the dashboard:

I will not be talking about disclosure timeline

That's all for this post unfortunately! I know it was a bad post due to it not being very techincal nor showing off what I'm capable of but I thought it was worth blogging about regardless - a company this gigantic should not let this happen.

Until next time..