A Craigslist Early Notification Exploit
I wrote this post on November 23rd, 2020 when I reported the issue via Craigslist’s vulnerability disclosure process. I didn’t want to publish it until I confirmed the issue was fixed, but it appears to have been fixed on February 28th, 2021 so I am posting it now.
Background
Someone reached out to me recently because of an issue they were having. They had evidence that people in their area were using automation to be able to access Craigslist postings before everyone else.
I knew that Craigslist index pages and search results only update every 15 minutes, so I interpreted this to mean that there was a way to get access to new postings in near real-time. This would mean you could potentially see postings almost instantaneously after they were posted and you wouldn’t need to wait for the index pages and search results to update; this would be a huge deal in competitive categories like used cars as it could give you up to a 15-minute advantage over other buyers.
How the Exploit Worked
I’ve always been someone who wonders how things work and so I was curious how this could be possible. I knew that Craigslist had launched a mobile app about a year ago, so I used a web debugging proxy to discover the new APIs associated with the mobile app.
I discovered 2 APIs that seemed interesting: sapi.craigslist.org and rapi.craigslist.org. The “sapi” API seemed to be used for getting search results while the “rapi” API or “Craigslist Customer API” was used to get posting details.
The interesting thing about the “rapi” API is it allowed you to get posting details and validate that a post exists simply by using the post ID. No other information about the post was needed. The other interesting thing is that posting IDs seem to be used globally across all craigslist sites (at least across the US) and that the posting ID always increments up as postings are made over time. This is an example of an Insecure Direct Object Reference or “IDOR” vulnerability.
Using this “rapi” API and the knowledge that posting IDs increment up over time, it was possible to use automation to get near-real-time access to new postings. One way to do this would be an enumeration attack. An attacker can write a script to incrementally check the post IDs using the “rapi” API. If the API returns a “200 OK” they would know that the post exists, if it returns a 404 they would know it doesn’t. The script can then dial in the post ID accordingly to get a very accurate idea of what the most current up-to-the-minute post ID was. Then, simply by incrementing this by 1 and repeatedly checking for a “200 OK” the attacker can get near-real-time access to postings as they come in.
From here, it’s quite easy to create alerts based on your specific area and search criteria that would allow you to be alerted before everyone else. I created a working test script to prove this out and my tests showed that it is indeed possible to get near-real-time alerts using this method. This means getting a nearly 15-minute advantage over even the best existing automated alerts that are based on search and index pages.
Early access to a post also allows someone to maliciously “flag” the post to make sure they are the only one who ever sees it. “Flagging” is a Craigslist community moderation feature where any user can identify postings they believe don’t comply with Craigslist’s posting rules. If a listing receives a sufficient number of flags, it will be automatically removed. This allows someone with early access to use automation (or a team of people) to automatically have postings removed so no one else can see them.
As an example, let’s say someone posts an ad for a “Toyota Tacoma”. A used car dealer running a script would be able to see the ad before everyone else, save off the post information, and then flag the post so that it’s removed before it even shows up in search results and index pages. Now, the dealer can take their time in setting up the purchase of the vehicle knowing that no one else will see the post. The dealer has effectively turned Craigslist into a buyer’s monopoly for good car deals in these areas. I’ve been told that this exact situation was happening in the “Cars & Trucks” category in LA, the Bay Area, and potentially many more areas and categories.
Craigslist’s Fix
I submitted this to Craigslist last year and I was happy that they were very responsive to my disclosure. They fixed the vulnerability on February 28, 2021, and I was no longer able to use my script to get real-time access to new listings. I’ve not done enough research to know if other similar vulnerabilities still exist but I do know that the specific one I reported has been addressed.
In addition to this vulnerability, I also suggested that Craigslist look into other ways they can prevent future vulnerabilities like this, such as:
-
Implementing certificate pinning on their mobile apps. This effectively bakes in the certificate into the app and makes it much harder to use a web debugging proxy to see API communication. It is still possible with jailbroken devices but this would make it harder for many people to discover vulnerabilities like this.
-
Moving away from the existing incremental posting IDs system entirely and use pseudo-random UUIDs instead. This would prevent the exploit I discussed from ever surfacing in another form again as there would be no way to guess what the next posting ID will be based on current known IDs.
-
Rethinking the fraudulent use cases of the flagging system. It might be smart to prevent a post from being flagged until it has legitimately shown up in the index pages or search results. Also, look into blocking specific IP addresses from flagging more postings than is reasonable (this may already be happening).
Why The Exploit Worked
The technical piece of this exploit is just half the equation. The reason the vulnerability was valuable has to do with a concept in economics called information asymmetry. Used car dealers buy and sell cars every day and have a very good sense of the price that specific makes/models/years of cars will sell for in their area. The average person selling their car doesn’t have this information which creates an imbalance of power in the market. The average person may not know that their vehicle’s specific make/model/year is selling for $4000 above the Kelly Blue Book price in their area (but the used car dealer certainly does).
The combination of early notification and flagging means that used car dealers can exploit this information imbalance in a big way. They can snatch up all the underpriced car listings on Craigslist for their area and prevent anyone else from ever seeing them. The average person selling their car would have no idea that they just sold it for $4000 less than it was worth to a used car dealer who happily showed up at their door.
One way to potentially improve this situation would be for Craigslist to offer location-specific pricing tools to help users price their cars more in line with market rates. This would help improve that information imbalance that allows used car dealers to make money doing this in the first place. I’m sure Craigslist has a ton of car pricing data that they could potentially use to help users price their vehicles more accurately (they may already be working on this). For most of us, selling a vehicle is not something we do very often we could use some additional help. This might also help more people justify paying the $5 posting fee for selling a vehicle on Craigslist (or even be comfortable with paying more), as they would have more confidence they’d be getting a fair price.
Final Thoughts
I thought this was a good example of the repercussions of an “IDOR” vulnerability and how it can have real, negative effects on a market. Anything that allows a select few to have such a dramatic advantage over everyone else without their knowledge is a big deal and so I’m glad this issue was addressed.