This article is about a bug which i founded in nov. of last year which allow an low level and unauthorized user to add a new user in shared app connection which give access to confidential data to unwanted user and affecting the integrity of the platform.
Understanding Target
Exapier, a platform that facilitates easy automation, connects various apps to automate workflows. Shared app connections, such as those with Google Drive, are pivotal for collaborative and efficient operations.
Bug Discovery
A flaw in Exapier’s access control allows low-level users to manipulate shared connections. Unauthorized additions to connections like Google Drive pose a significant security risk, breaching expected permissions.
Before we move on, if you like my write-ups, please support me by clapping, sharing, and you can clap up to 50 times here on Medium, it’s free. Thank you.
Steps to Reproduce:
- A low-level user accesses their Zapier account.
- In connection settings, the attacker edits a shared connection’s name.
- Intercepting the request, the attacker modifies parameters, adding the user to the shared connection.
- The attacker sends the modified request, resulting in a successful addition of the user to the connection.
- Admin verifies the addition of the user in the shared connection.
Potential Impact
Unauthorized user additions to shared connections compromise the integrity of collaborative platforms provide access of confidential data to unauthorized users. This security loophole may lead to misuse, unauthorized data access, and potential breaches of privacy.
The Bounty
Exapier acknowledged the severity of this bug and rewarded a bounty of $921 for its discovery and responsible disclosure.
Takeaway
This security loophole sheds light on the critical need for robust access controls. It underscores the importance of meticulous permission management, ensuring that only authorized personnel can manipulate shared connections. The key lesson here is clear: always play with permissions when finding or hunting for bugs.
Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.