Bypassing the IPinfo API

Around October 2020, I was pretty active in the bug hunting community. And of course, I was hunting too, as a form of training and learning process. Around that time, my friend @pry0cc made a utility named ipi

As explained in the README file, this utility was based on the ipinfo.io API. IPinfo is a company providing trusted ASN and IP address data. Its usage is pretty simple: you purchase a subscription and then you use the API, along with the token they provide you when you subscribe.

# With Basic Auth
$ curl -u $TOKEN: ipinfo.io

# With Bearer token
$ curl -H "Authorization: Bearer $TOKEN" ipinfo.io

# With token query parameter
$ curl ipinfo.io?token=$TOKEN

There's also a widget on their website for everyone to test out the API.

This is the part where I thought: if the widget is not secure enough, then that's free IPinfo API, right? Well, after tweaking it, there were two problems with that:

There had to be a way to make a request to access the widget from the terminal
The widget was heavily rate-limited

The first issue was quite easy. All I had to do is to see how the request was made to the widget, so I can move it to my terminal.

Apparently, there is a /widget/[IP] endpoint, where anyone can make a request and get the IP data. Moving this from the browser to the terminal wasn't successful at the beginning