.png)
5 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE ADThe target is a web application that use Graphql as API. In recent times, the application has new feature which was a service account. This service account is mainly used to create an API Key that could be used to integrate this app with other application.
While doing test using the service account API key in the Graphql endpoint, I found an interesting information while querying the “me” query. This “me” query basically show the information about the current user.
The service account has email address and it used a specific format : redacted-service-account-<org_id>@email.com
What would happen if I invite another user service account email address to my organization ?
Little note : based on my previous analysis. If we invite a non registered user the server will create that user in database. This app also doesn’t have login feature with email address. It must use OAuth from the “main” app
Then I create this step by step attack scenario
Step by Step
I create 2 accounts. Account A as attacker and account B as victimI invite victim service account email address to attacker organizationUsing victim account, I tried to generate service account but it return database error duplicate key violates unique constraintThis confirm that I’m able to invite victim service account to attacker organization and make victim couldn’t create service account API key because the service account account already exist (shown by the duplicate error).
Does it over? not yet
To make the attack really happened, we need to know other organization’s id. The id is unguessable because it’s 32 character alphanumeric.
Fortunately using an undisclosed technique and my little python coding skill. I’m able to create a python script to automate and deliver the full proof of concept to get the other user organization id
The CVSS scoring were using Hackerone 3.0 CVSS with environmental metric
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/CR:H/IR:H/AR:HFinal severity: Critical (9.7)
Bengali (Bangladesh) · 
English (United States) ·