.png)
2 months ago
39 BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone ,
I’m Hossam Hamada, Today I would like to share with you one of my discoveries in HackerOne ’s program
Let’s say : https://example.com
To start, I’d like to clarify a few things. The target platform provides a specific service for companies. For instance, if we consider a company “X” that uses the target’s service, a dedicated subdomain is created for the company under its name.
Now, let’s assume I am company “X” and I am subscribed to the service provided by the target. This means that I have my own subdomain, as shown :https://x.example.com
Typically, each company has multiple users within its team, and the team is divided into admin accounts and standard accounts .
I logged in using a standard account and navigated through the platform. I found a feature that allows creating folders, and inside these folders, files can be added. These files are often used for writing notes.
I attempted to create a folder and intercepted the request. After sending the request through Repeater, I examined the response. The response contained two interesting parameters: `_id` and `_parent_folder_id`. Both had different values.
This raised my curiosity, and I wondered why there were two different values. I suspected that the `_parent_folder_id` might refer to a main folder that holds all the folders created by the team members, given its name.
To verify my assumption, I created another folder and compared the response with the previous one. As expected, the value of `_id` in the second response was different from the first, while the value of `_parent_folder_id` remained the same in both responses.
This confirmed that `_parent_folder_id` refers to the main folder that contains all the folders created by the team members, while `_id` is unique to each folder.
Exploiting the Vulnerability
I then wondered what would happen if I attempted to delete the main folder. I decided to test this by intercepting the delete request of a folder I had created and replacing the `_id` of that folder with the value of `_parent_folder_id`, thus targeting the deletion of the main folder.
I sent the modified request, and it successfully deleted the main folder. As a result, all the folders created by the team were also deleted.
I won’t be including a screenshot of the response, as I am just explaining what I did. If I were to execute the action now, my test accounts would be disabled, and they wouldn’t be reactivated for several days.
I then attempted to create a new folder, but I was unable to do so, and an error message appeared.
At this point, I questioned whether this issue was isolated to my account or affected all accounts within the company. To test this, I logged out and attempted to log in with a different account. Surprisingly, I couldn’t log in, and an error message indicated that the email or password was incorrect.
I tried logging in with an admin account and faced the same issue. After logging out of the original account and attempting to log back in, I encountered the same problem.
Conclusion
This led to the conclusion that deleting the main folder disabled all the accounts within the company. Consequently, by deleting the main folder, all team accounts, including admin accounts, were deactivated.
The issue was reported and accepted as a medium severity vulnerability for the following reasons:
1. Requires an internal account: The attack can only be executed using an internal company account.
2. Limited to the specific company: The vulnerability affects only the specific company using the service, not all companies on the platform.
3. Quick fix: The issue can be easily resolved by restoring the main folder, which would reactivate the accounts. However, this does not imply that the vulnerability has been fixed, as the attacker can repeat the attack.
Thank you for Reading!
Happy Ethical Hacking ~
Bengali (Bangladesh) · 
English (United States) ·