The website remote.bergcloud.com is used to communicate with the Little Printer; set up print subscriptions, send messages to the printer, give friends permission to send messages, and so on. I discovered an authentication/authorization bypass issue on this site which allows an owner of a Little Printer, as well as any user who has been authorized to print messages to at least one Little Printer, to print messages to any of the Little Printers out there – without prior authorization from the owners.
The HTTP POST which is sent when you message the Little Printer contains the following payload:
The field message[bot_id] contains the ID of the Little Printer, which is a sequential numeric identifier. Changing the ID allows a user to send a message to another Little Printer without being authorized by the owner. The user is also able to print messages without authenticity_token present in the payload.
After printing a message, the site will normally display a box saying Message sent. When printing to another Little Printer, without really having permission to do so, the site displays an error and it seems like printing was not successful. However, that’s not the case.