How could we hack all organizations within a web app

Muhammed K. Sayed
2 min readAug 14, 2023

Assalaamu’alaikum wa rahmatullah wabarakatuhu

here’s another collaboration between mux0x and Omar Ahmed “spaceboy20”, today’s bug was an interesting one, actually unexpected one

Summary of the bug

we got invited to a private program that’s connecting between contractors “professionals” and agents “jobs’ posters”, the agent is able to set a location of the required jobs, then when he post a job it’s a LEAD in the contractor side, so if the contractor’s work area is within the area the agent posted the job in, he will receive the LEAD, which discloses the uuid of the agent’s organization, which is uuid v4 which isn’t guessable “cant be brute forced as the v1”

The action part

so while Omar was playing in the function of inviting users, he found out that a parameter “organizations_ids” takes a list of uuids, was vulnerable to an IDOR, so if we added our organization id to that json array, it says “you don’t have permission to add users to this organization”, but when replace the id of the attacker organization with the victim’s one, he can takeover it, you guessed it right :D

Simple bug right? if we stopped there we only get this bug as “HIGH” not “CRITICAL” because of the complexity of the attack increases as the ID is not guessable, this is a big loss in reputation and money TBH

so in order to obtain these UUIDs of other organizations, we have to get a contractor “professional” account, which you can create from the agent account, so all we needed to do is to change the work area of the contractor account to be the whole world and wait for organizations to post work orders

graph demonstrating how to obtain orgs’ uuids

Alhamdulillah, we were dealing with a cooperative team, so it was kinda good one for us, just try getting the highest impact of every bug you find, dont stop at the first obstacle, and escalate, no rush!

See ya soon in another write-up ;)

twitter “X” account: https://twitter.com/mux0x, iam active there

--

--