How I Exposed Information of Any Asana User Just by Sending him/her an Invitation.

Greetings Everyone,

Just like the usual Days, I was testing a site Named Asana( Asana is a web and mobile application designed to help teams track their work. It was founded in 2008 by Facebook co-founder Dustin Moskovitz and ex-engineer Justin Rosenstein, who both worked on improving the productivity of employees at Facebook.)

While I was Gathering Information about Asana I got a URL with this Endpoint:
https://app.asana.com/api/1.0/users
After Getting this , I thought why not Giving it a try to Expose some User’s Information.

So I simply registered an account in Asana and tried Exposing my own Information.
After going to that specific URL, I got this Result:

“My User ID and the Name.”

I copied the User ID and pasted it after the Endpoint which I got earlier.
Like This:
https://app.asana.com/api/1.0/users/440847655542808

And the Result was:

Now I’ve got the User ID and the Workspace ID as well.

Now Let’s try Exposing Other User’s Information. For that, I simply changed the User ID but got an error:

But I didn’t give up there. And Something that caught my Attention was that, in the Asana app there was an Option to Invite other users to your Team.
Whick Looked like:

So I Created another account in Asana and sent the invitation to that account.

After that I checked the following URL again:
https://app.asana.com/api/1.0/users
And the Result was:

I was Amazed after getting the Responce.
I got 2 User IDs and 2 Names of Different Users this time.
So I went a step ahead to see if the Information of the Invited User Could be Disclosed Now.

I simply added the User ID of the Invited User to the end of this URL:
https://app.asana.com/api/1.0/users/446935867915018

And Boom:

It Worked. His Email, UserID, and Workspace ID was Disclosed. That was Enough for me to Report it to the Company. So I reported it. But After a Couple of Days, I got an Exceptional Reply from the Company saying that,

We have examined your report and in fact this is an expected behaviour and not security vulnerability ”

I was Sad but not Much. I said, “Why not giving it another try.”

So I repeated the Whole Process again. But this time I was thinking a bit Different.
I thought, How would it be, If I send an Invitation to any Asana user and he/she does not accept it.Would it be possible to get his/her Information?

Why not giving it a Try ;)

So I Created 2 different accounts and sent invitation from account 1 to account 2. But I didn’t accept the Invitation from account 2 and simply deleted the invitation message.
I was Shocked when I saw the results:

I was able to see the Details of the Invited User. I was really Happy that it worked. So I reported it to the Company again.

The Reply I got From the Company:

I was Shocked that they Didn’t consider it a Vulnerability. But I was Happy that I learnt Something New.

Here’s the Video POC:

https://www.youtube.com/watch?v=vTInz5MGU90

The Purpose of this Writeup is just to share knowledge. There are a lot of sites which accepts such reports. But this Depends on Luck.

Special Thanks to All the Leets who Shares.
Because, “Sharing is Caring”

So Thank you Guys for Reading this Writeup. If you Enjoyed it, share it with your Friends.

Best Regards,
Anees Khan