tools used
what happened?
a classic "forgot to ratelimit everything" and "left my user uid and profile photos bucket public" and "forgot to check bearer token"
bug tags
cwe-770 - no endpoint limiting on the scanimage endpoint, nor any other endpoints (scanimage is probably the most resource heavy)
cwe-200 - ability to read other user's subscriptions through getsubscription (either that or the email/userid keys are useless)
cwe-284 - in a lot of api calls, apikey does literally nothing, all the work is done on bearer authorization
the action
my setup
usual setup, requestly, my phone, loaded up cal.ai
what i noticed
nothing too interesting, saw a bucket, skimmed it a bit, wasn't public. looked through all the cool endpoints, found out i could submit invalid data to the scanimage endpoint to get internal server error (boring). found out i could spam the scanimage endpoint (interesting). this api generally took 1s+ to do its magic, so it's probably a resource heavy api. spamming this could cause issues for the rest of the users. in addition, removing apikey from requests changes nothing, not sure why they use it. the authentication is handled by bearer tokens.
results
what i learned
my usual cwe's are boring but somehow work often on a lot of bigger apps. i'm going to stop posting about ratelimit and other low level posts because they aren't that interesting anymore.
bounty
$0.00 - emailed the owners, no response, doesn't seem to be a priority for them