Incorrect use of privileged APIs to steal victim's account in polonel/trudesk
Valid
Reported on
Jun 6th 2022
Description
When user can edit their profile --> Incorrect use of privileged APIs to steal victim's account
Proof of Concept
1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing
Impact
- Hacker can access all accounts that he know the mail (leak in message page)
- Dangerous for all users
- Hacker can steal an admin's account --> get the highest permission
We are processing your report and will contact the
polonel/trudesk
team within 24 hours.
a year ago
We have contacted a member of the
polonel/trudesk
team and are waiting to hear back
a year ago
The researcher's credibility has increased: +7
This has been fixed in v1.2.4. I will update this report once released.
Please note that if the user has the accounts update
permission they can update any user account as per design. This is usually reserved for Admin or Support roles that may need the user's password reset.
Although your report was indeed valid, it only worked if the "hacker" user had permission to update accounts anyway. It did however lead to an issue where the permissions were needed to update your own profile which in itself was a vulnerability. This is what has been fixed.
We have sent a
fix follow up to the
polonel/trudesk
team.
We will try again in 7 days.
a year ago
We have sent a
second
fix follow up to the
polonel/trudesk
team.
We will try again in 10 days.
a year ago
users.js#L598-L631
has been validated
users.js#L416-L571
has been validated
to join this conversation