Slack - Update/Edit Billing information(Credit card ,Plans ) by low privileged user on https://admin.quip.com(Access control issue )

-

 Company Information : 


Slack is a cloud-based freemium cross-platform instant messaging service created by Slack Technologies and currently owned by Salesforce. While initially developed for professional and organizational communications, it has also been adopted as a community platform.


Bug Category : 

Privilege Escalation : 

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.


Target  Information : 

https://admin.quip.com


Technical Details of the Bug : 

You will need a Paid subscription(Quip Starter) to reproduce the issue . Once you purchase a subscription , you can access domain https://admin.quip.com. On this domain you have user section where you can add users with given roles. There is a low privileged role called "Site Admin" . This role is not able to access Few sections of the domain like Billing section , Roles section etc. But the billing update request is vulnerable to Access control issue and this low privileged user is able to Update a billing settings . In the billing settings you can update the credit card and Current plan of the company.


Vulnerable HTTP Request :

POST /-/setup-billing HTTP/2 2Host: admin.quip.com 3Cookie: cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:109.0) Gecko/20100101 Firefox/112.0 5Accept: */* 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8Referer: https://admin.quip.com/console/cCGAcAVnm2Q/billing 9X-Requested-With: XMLHttpRequest 10Content-Type: application/x-www-form-urlencoded 11Content-Length: 1271 12Origin: https://admin.quip.com 13Sec-Fetch-Dest: empty 14Sec-Fetch-Mode: cors 15Sec-Fetch-Site: same-origin 16Te: trailers 17 18_csrf=&_js_client_hash=&_js_request_id=r16zyuvia9&_js_request_time=1683414925164&_js_request_time_ms=1683414925164&_resource_bundle=admin_console&_user_id=NJKAEAnKkEU&_version=10&_window_session_id=8eba0aa9f607&company_id=cCGAcAVnm2Q&plan=5p_monthly_2_free_mo&quantity=5&token=%7B%22id%22%3A%22tok_1N4uJx20Ocpi9J4OZX6EPU3B%22%2C%22object%22%3A%22token%22%2C%22card%22%3A%7B%22id%22%3A%22card_1N4uJw20Ocpi9J4ONRzsiF9I%22%2C%22object%22%3A%22card%22%2C%22address_city%22%3Anull%2C%22address_country%22%3Anull%2C%22address_line1%22%3Anull%2C%22address_line1_check%22%3Anull%2C%22address_line2%22%3Anull%2C%22address_state%22%3Anull%2C%22address_zip%22%3A%22560103%22%2C%22address_zip_check%22%3A%22unchecked%22%2C%22brand%22%3A%22Visa%22%2C%22country%22%3A%22IN%22%2C%22cvc_check%22%3A%22unchecked%22%2C%22dynamic_last4%22%3Anull%2C%22exp_month%22%3A7%2C%22exp_year%22%3A2027%2C%22funding%22%3A%22credit%22%2C%22last4%22%3A%228169%22%2C%22name%22%3A%221110bugcrowdtester%40gmail.com%22%2C%22tokenization_method%22%3Anull%2C%22wallet%22%3Anull%7D%2C%22client_ip%22%3A%2249.37.161.143%22%2C%22created%22%3A1683414921%2C%22email%22%3A%221110bugcrowdtester%40gmail.com%22%2C%22livemode%22%3Atrue%2C%22type%22%3A%22card%22%2C%22used%22%3Afalse%7D


Vulnerable Parameter :

_user_id , company_id These IDs are public to Low privileged user account.

Steps to reproduce :

You will need 2 Quip Startup paid accounts for this. 1.Login from Victim account and go to https://admin.quip.com. 2.Now go to user management section and add attacker user(User will be auto given site admin role) 3.Now login from Attacker user account and you will see this user will have access to victim Account too but with low privileges. 4.Now Select the victim org and any go to Victim Org on https://admin.quip.com. 5.Now you will notice that this user doesn't have access to Billing section. 6.Now select the Attacker Org account and go to https://admin.quip.com. 7.Now go to billing section and update the credit card/plan. 8.Complete the stripe payment and the final request would look something like above mentioned Request. 9.Change the _user_id and company_id values to Victim account and send the request to server. 10.You will notice that victim account Credit card and plan will be changed. Note : _user_id and company_id are public values to Low privileged user account.

Impact

Update/Edit Billing information(Credit card ,Plans ) by low privileged user on https://admin.quip.com(Access control issue )


Timeline : 

May 12th 2023: Report send to Slack product Security Team through Hackerone.

June 03th 2023 : Report Accepted and Triaged.

June 07th 2023: Complete issue was resolved and confirmed.

June 07th 2023 : 1500$ Bounty Rewarded




Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more