Story of an IDOR via Email
A year ago, I discovered an Insecure Direct Object Reference (IDOR) vulnerability which allowed anyone to reply to messages on behalf of other users on a website. I have been very much interested in this class vulnerability considering how easy one could find one by paying attention to details.
The target allows project creation where users can send messages to one another and get notified by email. They can also send replies directly from email and it would reflect on the website.
An Informative Report
Initially, I had discovered a vulnerability which I reported with the subject “Persistent Association of an Email to Projects”. This allowed me to create an activity in a project from an email that has been removed from an account. While it seems like a vulnerability to me, it wasn’t to the target. The team decided the scenario described was unlikely to occur and fixing it would be decremental to user experience.
The flow was:
Create an Account → Create a Project → Send Message → Receive Mail Notification → Change Email Address → Confirm the Change → Respond to the Mail Notification → Activity Created on Project!
PS: Send Message means to send a message in the project and Receive Mail Notification means someone else replied and you got notified in email. Also, confirming the change entailed requesting a password reset with the old email address which returned an error confirming the email was no longer linked to an account.
Aaand, the IDOR!
I couldn’t get my mind off the other report, so I kept looking. And after a week, I got an IDOR via the same channel.
The reply-to email address caught my attention and on a closer look, it contains my user ID and the project ID. It had the following structure:
[Constant Token]+[Project Unique Token]-[User ID]-[Project ID]@inbound.postmarkapp.com
Example:
7458hb73fa4d5hs97wf8fs0bkb4a8392+1bafh7sjh245h525bj6n74knk134134jn563n357-123456-2345678@inbound.postmarkapp.com
PS: The target is NOT PostmarkApp and the tokens and IDs are just an example :D
Since it was quite easy to get other user’s ID by viewing their profile, I just replaced my user ID with the other user’s ID and sent an email to the crafted email address. And the activity got created in the project.
Until next time!
Timeline
May 22, 2018 - First Report Sent
May 22, 2018 - Marked Informative
May 29, 2018 - Second Report Sent
May 30, 2018 - Report Triaged
June 5, 2018 - Fix Requested and Confirmed
June 6, 2018 - Bounty Awarded
Share on