Kendi FCM token'ım browser history'imde çıktı — push-subscribe DELETE URL leak (PR #635 III F4)

Kayseri Melikgazi de 33 yaslarinda privacy engineer Burak (@burakprivsec), gunduz fintech security ekibinde GDPR Article 32 audit/enforcement; gece bug bounty + responsible disclosure. Bir Cuma aksami arkadasinin "Develi Kebap" inda thMenu customer-facing PWA siparis verdi. Order ready push tap, sonra Chrome history e bakti baska is icin. DevTools open, history panel taradi. Entry gozune carpti: **https://menu.thmenu.com/api/orders/abc123/push-subscribe?endpoint=https%3A%2F%2Ffcm.googleapis.com%2Ffcm%2Fsend%2FfHfA9N8...[180-char token]&session_id=ses_xyz**. "Web push endpoint URL imde mi? Bearer-equivalent token..." Web Push endpoint nedir: FCM (Android/Chrome) veya APNS (iOS Safari) tarafindan serve edilen unique URL. URL i bilen herkes VAPID-signed POST ile o spesifik browser tab a push gonderebilir. FCM/APNS identity dogrulamaz, sadece URL biliyor olmak yeterli. Bearer-equivalent: token = authority. URL query parametre 3 leak channel acar: (1) **server-side access logs** Cloudflare 7-day default retention + Logpush long-term storage; (2) **Referer header** cross-origin navigation icin browser default source URL gonderir, ad networks/analytics/widgets exfiltrate; (3) **browser history** multi-user device shared family iPad/cafe shared computer/work laptop personal browsing, browser sync (Chrome/Firefox Sync) cloud a, browser-export feature. Burak code u acti (thMenu open source): apps/web-menu/src/app/api/orders/[id]/push-subscribe/route.ts DELETE handler `const endpoint = req.nextUrl.searchParams.get("endpoint"); const sessionId = req.nextUrl.searchParams.get("session_id");` — query parametre. Sibling POST handler ise `const body = await req.json(); const endpoint = body.endpoint;` — JSON body. **Asimetrik design**. Burak security@thmenu.com a yazdi (steps to reproduce + redacted screenshots + exposure window analysis). Engineering 30 dakikada reproduce + severity HIGH. Git history: originally hem POST hem DELETE body kullaniyordu; mid-2025 maintenance commit DELETE i query ye tasimisti (gerekce: "DELETE method body unconventional, older browsers"). RFC 9110 §9.3.5 "client SHOULD NOT generate content in a DELETE request" der ama Fetch spec destekler, CDN/proxy compatibility 2026 da var. 90-day Cloudflare log query endpoint=https%3A%2F%2Ffcm pattern: **3,247 unique endpoint URL exposed**, ~847 unique customer push subscription. Spear-phishing capability: attacker leaked endpoint + thMenu VAPID public key + custom payload = thMenu branding push (orn "Hesap fisiniz acildi, odeme: bit.ly/phishing"). **PR #635 batch III F4** fix 2-katmanli: **Layer 1** DELETE handler body first canonical + query fallback backward compat; endpoint.length cap 2000 char POST sibling parity. **Layer 2** Cloudflare log retroactive redaction (Logpush filter rule fcm.googleapis.com/fcm/send/[A-Za-z0-9_-]+ → REDACTED) + browser history customer warning (Synaltix resmi notice). 90-day audit: 0 prior exploits, Burak ilkti. HIGH severity + €500 Wise + Hall of Fame + 1-year Pro tier. Pattern: **bearer-equivalent token lar (Web Push endpoint, session ID, magic-link, OAuth code, API key) URL query parameter da ASLA. Body veya Authorization header. URL 3 leak channel: server-side logs + Referer + browser history.** Implementation checklist: (1) POST + DELETE sibling transport SYMMETRIC; (2) magic-link GET single-use consume + invalidate + redirect; (3) Logpush filter rule token redaction; (4) Referrer-Policy strict-origin-when-cross-origin minimum no-referrer ideal; (5) history.replaceState() token strip; (6) quarterly URL grep audit searchParams.get; (7) leaked log file pentest scenario. Sigrid Stockholm Soder version Drottninggatan Pizza ayni flow.

İlgili makaleler