Edmodo Account Deactivation Vulnerability

Hi I am Shankar R from Tirunelveli (India). I hope you all doing good. I am a security researcher from the last one year. Yes absolutely am doing bug bounty in the part-time Because I am working as a Penetration Tester at Penetolabs Pvt Ltd(Chennai).

Thank you guys to appreciating my previous blog posts.

Here is my write-ups about the Bug bounty , Bug Hunting Methodology(part-1) , Bug Hunting Methodology(Part-2) & Bug Hunting Methodology(part-3). Kindly read the previous blogs if you really missed it to read .

Bug

I have found a critical vulnerability on edmodo domain i.e https://new.edmodo.com/settings. That helps to the malicious attacker can able to deactivate the victim account without any user interaction which is lead to account deletion for genuine edmodo users.

Description:

Issue Identified:

  1. Improper validation on the JWT and account deactivation endpoint on https://new.edmodo.com/settings
  2. CORS on https://api.edmodo.com/unregister?access_token=ACCESS_TOKEN which will bypass the same origin policy.

These are the causes to make the account deletion successful by the attacker

Kindly find the steps to reproduce part for more information.

Setup:

Create 2 users account (Here I was tested in teacher account type)

User1 is a Victim who has Uid 11111111

User2 is an attacker who has Uid 22222222

Steps to Reproduce:

1, Go to the following URL to delete user2(Attacker) account https://new.edmodo.com/settings

2, Then click Deactivate your Account option from User2(Attacker)

3, Then it will ask you to enter the password of your account(Attacker)

4, Before going to enter the password and confirming the account Deactivate option Kindly make sure the traffic is intercepted by the Burp Proxy.

5, Once you done the step 4 then Click Deactivate button this will generate the POST request which is looks like below

6, Here I replaced the User ID value with the User1(ie. Victim). Then forward the request which is looks like below

7, Then edmodo will make the request to api.edmodo.com with the JWT access Token which the request is looks like below

8, The JWT can be decoded and modified with the help of this site: https://jwt.io/#debugger-io

Here we can decode the attacker’s(User2) token to modify user ID into the Victim user ID which we are going to deactivate the account.

9, We can simply modify the User_Id parameter value on JWT into Victim’s User_ID(11111111)

10, Once you changed the User_Id value then we can get the valid JWT access token with the Victim User ID. Then we have new access token named as NEW_ACCESS_TOKEN_WITH_VICTIM_ID

11, Then simply make the request to api.edmodo.com with the following http method and endpoint OPTIONS /unregister?access_token=NEW_ACCESS_TOKEN_WITH_VICTIM_ID

Here we can see 200 ok response but they have some extra level protections on deactivate endpoint in the user’s account.

That is nothing but the same request in step 11 is sent to the server with the POST request and the POST parameter password should have the value of an attacker’s password

It throws 500 Internal Server Error😢😢😢

Then did you notice !! 😉😉😉

12, I modified the above request into below request

Finally I bypassed their protection using CORS headers.

Now the both Attacker and victim account is deactivated.

Here attacker can able to deactivate the multiple victim’s account using burp repeater by sending the same request again and again with the other user’s JWT.

Impact:

The attacker can able to Deactivate the victim account without any user interaction.

Here the attacker no need to find the victim Id to exploit this bug in the real time scenario. He can just bruteforce the UserId and make the above steps will deactivate the victim account.

Bounty or Swag ??

After reporting this bug they have replied like can’t reproducible.

But I had an experience like in other websites but I can’t believe why they replied me like that (I hope edmodo will not do like that)

anyway I won’t mind this. sharing is caring !!

Always chain low hanging fruits with the other bugs will improve the impact and the severity

Conclusion:

Don’t forgot to set JWT’s algorithm type is to None which will leads to find the severe bug like this

Chain CORS with the other bugs to improve the impact and the severity

Happy Hunting !! 😘😘😘

Special Thanks to Rahul Raj, Velayutham SelvaRaj, Sreeram KL, Ashish Kunwar, John Simon, Sai Naik

Thanks & Regards,

Shankar R