Accessing Data in an Unsecured Manner


#1

I have been messing around with trying to get data to make meaningful “product pages”. After stepping through the code in “bolt_graph.js” I’ve found a pretty easy way to get tabular data back via JSON. It looks like there is an internal undocumented API. I decided to query this for a bit just to mess with the data in a way that allowed me to deal directly with the JSON.

Anyhow, I got curious and decided to mess with some of the parameters in the call. I came to find out that I could use any device id to get data. Just changing the id’s by hand I was able to get back various test data. I thought maybe that was because there was some authorization as to what I could query. I tried querying from a incognito environment where there was no active session. I was able to get data back for my project! I was also able to get metadata back about the project!

If my assumptions hold true I could write a simple script that would go through various bolt IDs and try to get meta-data.This could expose all developers projects’ data externally.

While I feel that the API that was discovered would be great for use by developers I feel that regardless of its use it needs to be secured. An API key needs to be passed or a session token needs to be sent (bearer or something).

I just wanted to bring this to everyone’s attention.

Thanks!

EDIT and UPDATE:

It looks like a lot of debug data is emitted via the console.

I really like the idea of the method I found. I could build my own graphs etc. I could use a charting framework that I like (amCharts). However, I can confirm I’ve been able to find data on other bolt devices using different device ids without being authenticated.


#2

@mikejr83
Apologies for the delay in responding. Firstly, thank you for pointing out the issue. our team has fixed the issue. Now the API is secured. Appreciate the feedback and the suggestions. I agree with your that we can pass the API key or the session variable. For now the API requires the user to be logged in. Also, if the device parameters passed do not match with your account then it throws an access denied error. This is an internal API. We will be exposing a similar API via the Bolt remote APIs soon so that you could use your API key and access the device data in a similar fashion. You can try it out and let us know if you still find any issues.
Thank you so much again for sharing about the issue. We would also love to see some of your projects and the graphs that you have built in case you can share them with us. :slight_smile:


Building Custom Dashboards