VDB
KO
MEDIUM

GHSA-f5pf-q7c7-m3vv

Pixeldrain API key shared with unverified thirdparty sites

Details

### Summary

When processing Pixeldrain URLs, `cyberdrop-dl-patched` could send an `Authorization` header that includes the user's API key to unverified hosts.

### Details

Pixeldrain offers several alternative domains in case the user's ISP blocks the primary domain. To support this, requests made by `cyberdrop-dl-patched` are not hardcoded and will use the same host as the input URL for API requests.

`cyberdrop-dl-patched` matches URLs to a crawler based on their host. If the host contains a crawler's supported host as a sub-string, it will match to that crawler.

An URL from a malicious domain (ex: `https://evil-pixeldrain.com`) would successfully match to the Pixeldrain crawler and `cyberdrop-dl-patched` will blindly use that host for any API request (`https://evil-pixeldrain.com/api`), leaking the user's API key to the malicious actor via the `Authorization` header.

### Impact Anyone who has setup a Pixeldrain API key with `cyberdrop-dl-patched` and uses `cyberdrop-dl-patched` on sites that could spawn downloads for other sites (ex: forums, Wordpress, Pixeldrain itself, etc...)

### Patches `cyberdrop-dl-patched` v9.14.0 fixes this issue by rejecting any Pixedrain URL if the host does not match an official domain __exactly__.

### Workarounds It's recommended to upgrade `cyberdrop-dl-patched` to version v9.14.0

Anyone who has used a Pixeldrain API key with `cyberdrop-dl-patched` should consider them compromised and delete them from their Pixeldrain account.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / cyberdrop-dl-patched
Introduced in: 8.5.0 Fixed in: 9.14.0
Fix pip install --upgrade 'cyberdrop-dl-patched>=9.14.0'

References