Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

IDOR in API applications (able to see any API token, leads to account takeover)

Critical
A
Automattic
Submitted None
Actions:
View on HackerOne
Reported by bugra

Vulnerability Details

Technical details and impact analysis

Insecure Direct Object Reference (IDOR)
## Summary: Hi, @ehtis, thank you for the test account. Here is a critical report. :) On Pressable, we can create API applications at https://my.pressable.com/api/applications, and we can access many things using the API token via following the [API docs](https://my.pressable.com/documentation/api/v1) I created an API application and tried to update it, I saw this request : ████████ As you can see there is an `application[id]` parameter that contains the application ID. I changed it to my second account's application ID and that API app moved to my account. So, there is an IDOR but it doesn't have a great impact because it just removes the API application from the victim's account. So I tried to escalate its impact and I noticed if we remove all parameters except `application[id]` and `authenticity_token`, then send the request, the endpoint gives an error with `Name must be provided` and prints the given application ID's page. And, that page contains `Client ID` and `Client Secret`! With this information, the attacker can make many actions on the victim's account. (https://my.pressable.com/documentation/api/v1) ## Steps To Reproduce: 1. Go to https://my.pressable.com/api/applications and create an API app 1. Click on the application and turn on your proxy program 1. Click `Update` and you will send a POST request to `/api/applications` 1. In this request, change the `application%5Bid%5D` parameter's value to the target app ID, **then remove all parameters except `application%5Bid%5D` and `authenticity_token`** 1. The page will give an error and you will see the victim app's page which contains `Client ID` and `Client Secret` 1. Now, you can use these API credentials on the Pressable API. Notes: - API application IDs are sequential, so the attacker doesn't have to guess the IDs, s/he can access all applications - The impact is critical because we can access many things via the API, that includes the "collaborator" endpoint https://my.pressable.com/documentation/api/v1#collaborator-bulk-create ## Impact The attacker can access all API credentials using this vulnerability, and that leads to account takeover (via adding collaborator etc.) Regards, Bugra

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Insecure Direct Object Reference (IDOR)