Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

inDriver Job - Admin Approval Bypass

Medium
I
inDrive
Submitted None

Team Summary

Official summary from inDrive

The authorization malfunctioning vulnerability was found allowing an attacker to completely bypass the moderator's approval step within the vacancy or CV publishing process, giving the attacker the ability to publish any content even that one contradicting the Terms of Use or general morals.

Actions:
View on HackerOne
Reported by mikejohnson_1

Vulnerability Details

Technical details and impact analysis

Incorrect Authorization
## Summary: A vulnerability has been found in "inDriver Job", an application located at https://injob.indriver.com/, a platform that allows employers to **publish job offers** and candidates to sign up for them. It seems like the application has **heavy use**, with a plethora of job offers in many categories. In the app, anyone can request to **create job offers**, but, to prevent spam, scamming and phishing, every job offer creation and edit **has to be approved by a site admin** before being published. This is essential, since it prevents the app from getting **flooded with scammers**. The vulnerability discovered allows an attacker to **completely bypass** this approval step, allowing the publishing of arbitrary content. ## Technical Details: On the last step of the job offer creation, the application makes a final `POST` request to `/api/graphql`, calling for `UpdateVacancyStatus`. ``` {"operationName":"UpdateVacancyStatus","variables":{"vacancyId":"█████","status":"MODERATION"} ... ``` Re-sending this request, but modifying the **"status" variable to "ACTIVE"**, bypasses the need for a moderator approval, **publishing the ad**. ## Video POC ██████████ ## Steps To Reproduce: *Note for Triager: A phone number is required for signup. To skip this step, I've attached my session cookies. Using these, you could reproduce the steps noted below.* (Please see video for in-depth demo) 1. In employer mode, create a new job offer 2. Fill in the required fields 3. After the creation, the offer will appear as "Pending Approval" 4. In Burp Proxy, send the last "UpdateVacancyStatus" request to Repeater, modifying "status":"ACTIVE" 5. The arbitrary ad will now show up as "Active", it will have been verified and published. All users will be able to see it. ## Impact An attacker can use this vulnerability to upload arbitrary content, for **scamming**, **malware** or even **advertising** purposes. It is also possible to **flood the platform** with infinite offers, making it unusable for legitimate users.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1000.00

Submitted

Weakness

Incorrect Authorization