Indeed : Add Introduction video of any Job of any Employer on Indeed [ IDOR ] worth 2500$

-

 Company Information : 



Indeed, Inc. is an American worldwide employment website for job listings launched in November 2004. It is a subsidiary of Japan's Recruit Holdings. and is co-headquartered in Austin, Texas, and Stamford, Connecticut, with additional offices around the world.



Bug Category : 
Insecure direct object reference(IDOR ) : 
Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.



Target  Information : 

https://evaluate.indeed.com



Technical Details of the Bug : 

Overview of the Vulnerability

Given the type of IDOR within an application, an attacker could perform the following actions:

  • Perform unauthorized operations, such as escalating their privileges within the application, or forcing a password change on a user’s account in order to takeover that account
  • Gain direct access to files and manipulate the file system, such as uploading, downloading, adding, or deleting data, including other user’s data.

Description :

On Indeed any Employer can post a job. At the domain https://evaluate.indeed.com you have option of adding a Introduction video option where Employer can upload video where he can mention about the company , job etc.
Flow of Adding the Job is vulnerable to IDOR Attack. It's possible to add/update introduction video of any job on indeed.

Technical Flow :

First Request :

https://evaluate.indeed.com/create-evi-and-redirect/[Public_Job_ID]

In the above request Public_Job_ID is vulnerable to IDOR Attack.
After this request it will redirect to you https://avi.indeed.com/go/[UUID] where you can upload a video.

How to get a Job ID :

Job ID is public and sharable through invitation link.
Go to https://evaluate.indeed.com -- > settings -- > invitation settings and you can copy sharable invitation link.
In the invitation link there is Public Job ID. This ID is also available in source code of job application page.

The Impact is very serious here. First this attack can be done on any job on Indeed without the knowledge of owner.
Second job ID is public and IDOR can be done remotely without any user interaction.
Any Attacker can upload a malicious video Inappropriate and harmful content about the company and job through video.

Steps to Reproduce:

1.Login from victim account on https://employers.indeed.com/.
2.This account needs to be fully verified account so your job should be public and it should not be paused or flagged by indeed.
3.Post a new job with all details.
4.Now go to https://evaluate.indeed.com/ and your job will appear here.
5.Here you will see option of add intro video option.
6.When you click on add video option below request will be sent.

https://evaluate.indeed.com/create-evi-and-redirect/[Public_Job_ID]

7.Drop the request and don't upload anything.
8.Now login from attacker account.
9.Copy the above mentioned link in step 6.
10.You will notice that attacker will have access to the URL.
11.Now upload the video from attacker account.
Note : It takes 10-15 minutes to show once you upload it.
12.Now verify it from victim account.
13.When you will apply for this job from job application seeker account , this video will come at the end when you will submit your resume.





Business Impact:





Timeline : 


April 04th 2023: Report send to Indeed product Security Team On Bugcrowd.

April 08th 2023:  Report Accepted and Triaged.

May 19th 2023:  Complete issue was resolved and confirmed.

May 19th 2023:  2500$ Bounty Rewarded

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more