A Story of a $750 Broken Access Control
Check out this Broken Access Control writeup, it was accepted as P3 Severity.
Hello Folks, In this article, I will explain one of my Broken access control reports.
What is Broken Access Control ??
Access control enforces a policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.
Let's get Started !! 😉
I found this bug on one of the Bugcrowd private programs, a product of HP.
I started with enumerating the subdomains, and randomly I picked the target, here I will call it “https://community.vulnwebapp.com/”
I quickly created the account with their signup option, and after certain minutes of surfing and understanding the functionality, I identified that the application has an email-sending option, as it is a community-related discussion application.
I observed that the application uses some token in the URL to view the emails, like this.
To test the email functionality, we need more than two Email IDs, Quickly I created two more users, and this time I logged in to the newly created user account in a separate browser let’s call this user a User B. The first user will name User A.
In total we have created three users, don’t get confused now….
Hahaha…..Don’t worry…………. You will easily understand in a while…
Imagine I logged In with User A in Chrome and User B in Firefox and in both browsers I opened the email functionality.
I sent a small test email from User B → User A.
User B received the email that is sent by User A. Immediately I opened the email and copied the whole link of the email and pasted it in a separate notepad which looks like this,
Once after that, I logged out from User B in Firefox and logged In as User C.
Again I went to the email box of User C. I pasted the User B email.
Boom !!!
I can able to see the User B emails.
That’s really cool..!!
But this is going to be P4 because the attacker needs to perform social engineering to get another email link, so the attack complexity is High.
I didn’t stop here!
I started digging deep this time.
I observed that the email functionality requires some message token to open, If anyone gets it they can open that message with another user session.
So once a user sends an email to another user, they will notify the email details and the link of the Email via Gmail.
I’m very expert in Password token leakage attacks, I applied the same scenario here. I got the message token was leaking in the third-party domain.
Woooow. Now this will become P3.
Impact: Any user of the application can have access to the other user email box of the application https://community.vulnwebapp.com. The only thing is he/she needs a Message token with the key assigned to it. But this also leaks in the third-party domain.
This means, one who has access to third-party domains can easily read this email conversation, which affects the privacy of the user and data breaches.
For better understanding I’m writing the more scenarios below:
Scenario 1:
Create two accounts:- User A and User B; User A will send an email to the https://community.vulnwebapp.com application which contains some sensitive company information to User B; Once User A sends an email to User B, he will be notified via the actual email ( Gmail ) and it contains the Message link. The message link has its own token which will be leaked to third-party websites. Once the privileged user of the third-party website gets access to the message token he/she can access the email sent by User A and user B. Here the attacker needs one normal account; With this, he/she can read the entire emails of the victims.
Scenario 2:
The attacker needs to perform some social engineering or MITM attack to receive the Message token sent from User A to User B. Then the attacker can easily read the sensitive emails of user A and user B.
Note: In both scenarios, the application doesn’t validate the user or attacker who reads the emails. It only requires the Message token, If you pass the Message token sent from user A or user B in the GET URL parameter; He/she can easily read the emails sent by the victims.
That’s it for this write-up.
Happy Hacking 🥂🥂
Thanks for reading.
Please follow me for more writeups.
