IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo

Aagam shah
Aug 12, 2017 · 3 min read

Hello all,

Hope you are doing well, in this post I want to share with you about my finding on Edmodo that How I was able to get access tokens of users who have linked their account with Google drive to add files from it, Lets get into it.

Basically, edmodo is a platform for Teachers and Students who can create a group there and perform various activities like assignments, quizzes etc. So, recently I started looking for bugs into edmodo after 2 days of searching I got my first one which was a Stored XSS, but sadly it got duplicate. But I was like.

Always remember this while finding bugs.

I took a fresh start and again done mapping the application. I saw there was a new functionality added which was that student can add files directly from their Google drive to their Backpack in edmodo. I quickly followed the process of adding a file and take all requests in Burp. Now comes the issue

I got to an API endpoint where it checks that if the user has linked his/her account to Google drive or not.

https://api.edmodo.com/omniauth_callbacks/sso_user_exists?provider=google&user_id=123456789&_=1501610351655&access_token=<Our access token here of edmodo>

So, by changing the value of user_id parameter we can get if the user has linked his/her account to Google drive or not, which I bulked using Intruder.

User exists and Unix timestamp when they linked

As you can see I got a lots of edmodo users id who have linked their accounts to google drive.

Now I got another endpoint which assigns access token to user which was.

https://api.edmodo.com/omniauth_callbacks/access_token?access_token=<our edmodo access token here>

So, this requests send two parameters provider and user_id as POST request, in which I changed the user_id to ones of other users found using previous endpoint. It gave me back a valid access token for file adding of another user.

So, it did not validated the user and returned the access token. I quickly reported this to Edmodo and after a day they rewarded me with a cool goodie pack. Also Edmodo fixed the issue and now it gives a Forbidden message.

Edmodo Goodies

Takeaways: According to many other researchers advice new feature always continues to get added and they have bugs also. This worked for me here. Do remember to check new features.

Hope, you have a great time reading this. This was my first Interesting find worth sharing. Your comments are always welcome or you can DM me on twitter. Have a good one. ☺️☺️

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Aagam shah

Written by

sorting out...🐞🐞🐞

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Aagam shah

Written by

sorting out...🐞🐞🐞

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store