IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo

Hello all,

Hope you are doing well, in this post I want to share with you about my finding on Edmodo that How I was able to get access tokens of users who have linked their account with Google drive to add files from it, Lets get into it.

Basically, edmodo is a platform for Teachers and Students who can create a group there and perform various activities like assignments, quizzes etc. So, recently I started looking for bugs into edmodo after 2 days of searching I got my first one which was a Stored XSS, but sadly it got duplicate. But I was like.

Always remember this while finding bugs.

I took a fresh start and again done mapping the application. I saw there was a new functionality added which was that student can add files directly from their Google drive to their Backpack in edmodo. I quickly followed the process of adding a file and take all requests in Burp. Now comes the issue

I got to an API endpoint where it checks that if the user has linked his/her account to Google drive or not.

https://api.edmodo.com/omniauth_callbacks/sso_user_exists?provider=google&user_id=123456789&_=1501610351655&access_token=<Our access token here of edmodo>

So, by changing the value of user_id parameter we can get if the user has linked his/her account to Google drive or not, which I bulked using Intruder.

User exists and Unix timestamp when they linked

As you can see I got a lots of edmodo users id who have linked their accounts to google drive.

Now I got another endpoint which assigns access token to user which was.

https://api.edmodo.com/omniauth_callbacks/access_token?access_token=<our edmodo access token here>

So, this requests send two parameters provider and user_id as POST request, in which I changed the user_id to ones of other users found using previous endpoint. It gave me back a valid access token for file adding of another user.

So, it did not validated the user and returned the access token. I quickly reported this to Edmodo and after a day they rewarded me with a cool goodie pack. Also Edmodo fixed the issue and now it gives a Forbidden message.

Edmodo Goodies

Takeaways: According to many other researchers advice new feature always continues to get added and they have bugs also. This worked for me here. Do remember to check new features.

Hope, you have a great time reading this. This was my first Interesting find worth sharing. Your comments are always welcome or you can DM me on twitter. Have a good one. ☺️☺️