DUPLICATE BUT STILL COOL

Plenum
Plenum
Nov 5, 2018 · 2 min read
Image for post
Image for post

TL;DR, From low impact to account takeover to duplicate here is the story of a cool bug i found on a private program at HackerOne.

The company redacted.com provided CRM services to users, a user can signup as an organization then invite team members with either admin role or basic user role. The invitation process seemed ok at first everything was being checked perfectly the invitation link had 32 bytes alphanumeric token (NO WAY OF BRUTEFORCING THAT), csrf token checked properly it was all good until i found the first bug

IDOR on resend invitation

An admin has the ability to view pending invitation and he could also resend invitations, it seems fine the post request was as follows

POST /invitations/363484/resend HTTP/1.1
Host: bugbounty.redacted.com
Authorization: Bearer base64 token

The JSON response contained the email {“status”:”success”,”email”:”email@example.com”}

The problem was if you change the invitation id you could actually see sent invitations by other companies registered to redacted.com. After creating multiple invites i noticed that the invitation id increments, this also confirmed that there no need to brute force simply use intruder and increment/decrement the id to disclose invited emails of other companies.
This by itself is not that important because we cant see any important information in the response except the email.

Chaining the first bug with a design flaw

Now The real fun started, i grabbed the email reflected in the response, then went on to register an account on redacted.com.
After sign up i got redirected to an html page where it said

Company X has invited you to join them, please use the link in the e-mail.
Click on resend invitation to receive the email again

Copied the resend invitation link on that page it looked something like

https://www.redacted.com/resend_invitation/TOKEN

Went over to check my email it had the same link except that instead of resend_invitation they used join so the link was like

https://www.redacted.com/join/TOKEN

So i went back to the tab replaced resend_invitation with join and boom! i got in. An attacker could takeover arbitrary accounts with this vulnerability simply by leveraging the first IDOR, and signup every email that gets reflected back in the json respone.

This was a duplicate report but it was a cool one.
To the original reporter if you are reading this then well done ;)

Till next time,
Happy hunting everyone,

Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Plenum

Written by

Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Plenum

Written by

Plenum

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store