📚 HackerOne: Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
HackerOne has a number of ways for hackers to submit security vulnerabilities to a program, two of which are through an embedded submission form and through security@ email forwarding. These two features can be exploited to update a report draft created through security@ email forwarding that does not belong to the attacker. In addition to that, the attacker can exploit these features to obtain copies of orphaned platform attachments that were uploaded through an embedded submission form and don't belong to the attacker. Steps to reproduce The exploit consists of chaining two vulnerabilities. The first one is an oversight in the access control of report drafts created and updated through an embedded submission form. To reproduce this first vulnerability, a victim will have to send an email that forwards all emails to a HackerOne inbox. An example of such an email address is [email protected], which forwards emails to our own program. When someone sends an email to this address, they'd receive an email similar to this one: {F1077716} In the backend, this essentially does two things: it creates a ReportDraft object and a corresponding Invitation object. The email above contains the secret invitation token for the user to get access to the report draft. As long as the invitation is not accepted, the ReportDraft has its reporter_id and tracer attributes set to NULL. When a user would accept the invite, the reporter_id attribute would be overwritten with the user's ID who... ...