How could we hack all organizations within a web app
Assalaamu’alaikum wa rahmatullah wabarakatuhu
here’s another collaboration between mux0x and Omar Ahmed “spaceboy20”, today’s bug was an interesting one, actually unexpected one
Summary of the bug
we got invited to a private program that’s connecting between contractors “professionals” and agents “jobs’ posters”, the agent is able to set a location of the required jobs, then when he post a job it’s a LEAD in the contractor side, so if the contractor’s work area is within the area the agent posted the job in, he will receive the LEAD, which discloses the uuid of the agent’s organization, which is uuid v4 which isn’t guessable “cant be brute forced as the v1”
The action part
so while Omar was playing in the function of inviting users, he found out that a parameter “organizations_ids” takes a list of uuids, was vulnerable to an IDOR, so if we added our organization id to that json array, it says “you don’t have permission to add users to this organization”, but when replace the id of the attacker organization with the victim’s one, he can takeover it, you guessed it right :D
Simple bug right? if we stopped there we only get this bug as “HIGH” not “CRITICAL” because of the complexity of the attack increases as the ID is not guessable, this is a big loss in reputation and money TBH
so in order to obtain these UUIDs of other organizations, we have to get a contractor “professional” account, which you can create from the agent account, so all we needed to do is to change the work area of the contractor account to be the whole world and wait for organizations to post work orders
Alhamdulillah, we were dealing with a cooperative team, so it was kinda good one for us, just try getting the highest impact of every bug you find, dont stop at the first obstacle, and escalate, no rush!
See ya soon in another write-up ;)
twitter “X” account: https://twitter.com/mux0x, iam active there
