.png)
4 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
Recently,i found an interesting bug during my testing that enables a supporter to carry out restricted actions within the developer settings, specifically tweaking notifications without proper authorization in an Private Program. This issue sheds light on a loophole where a low-level actor or a restricted supporter can attempt to manipulate the application’s logic.
Understanding Target
ExamNote(Virtual Name of BBP) is a comprehensive platform designed to prioritize customer needs by offering an all-in-one solution for modern card issuer processing and program management. It empowers businesses to efficiently build and launch new revenue streams, providing a seamless experience for both businesses and their customers.In this context, the identified bug allowing unauthorized actions in the developer settings poses a potential risk.
The Bug
The bug I discovered in ExamNote a flaw that enables a supporter or low-level actor to perform restricted actions in the developer settings. Specifically, it allows the user to change notifications without the necessary permissions.
This issue becomes significant because a user with lower privileges, like a supporter, can attempt to manipulate the application’s logic by creating notifications in the admin developer settings, even though they don’t have the required permissions.
Steps To Reproduce:-
Use the admin account to create a notification.Capture the request made during the notification creation process and drop the request.Switch to the supporter or user account and capture any request made.POST /graphql HTTP/2Host: api.us.test.examnote.com
Authorization: Bearer ------------
{"query":"mutation AddWebhookNotificationTarget($input: AddWebhookNotificationTargetInput!) {\n addWebhookNotificationTarget(input: $input) {\n __typename\n ... on WebhookNotificationTarget {\n id\n signingKeys {\n createdAt\n id\n secret\n }\n }\n ... on UserError {\n errors {\n path\n code\n description\n }\n }\n }\n}","variables":{"input":{"name":"hello","uri":"https://test.com","subscriptions":["ACH_EXTERNALLY_INITIATED_DEPOSIT_RECEIVED","ACH_EXTERNALLY_INITIATED_DEPOSIT_PROCESSED"]}}}
4. Change the Authorization: Bearer token of the captured admin notification setting request to the user/supporter Authorization: Bearer token.
5. Send the modified request.
The Bounty
The security vulnerability I identified in ExamNote was deemed significant, and as a recognition of its severity, the company awarded a bounty of $500 for the report. This underlines the importance placed on maintaining the integrity and security of their platform.
Takeaway
This discovery highlights the critical need for robust security measures in applications like ExamNote. The lesson here is clear: even seemingly minor issues can pose a substantial threat to a platform’s functionality and security. It emphasizes the importance of continuous vigilance from both security researchers and developers to ensure a resilient and secure user experience.
Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.
Bengali (Bangladesh) · 
English (United States) ·