Incorrect use of privileged APIs to steal victim's account in polonel/trudesk
Reported on
Jun 6th 2022
Description
When user can edit their profile --> Incorrect use of privileged APIs to steal victim's account
Proof of Concept
1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing
Impact
- Hacker can access all accounts that he know the mail (leak in message page)
- Dangerous for all users
- Hacker can steal an admin's account --> get the highest permission
This has been fixed in v1.2.4. I will update this report once released.
Please note that if the user has the accounts update
permission they can update any user account as per design. This is usually reserved for Admin or Support roles that may need the user's password reset.
Although your report was indeed valid, it only worked if the "hacker" user had permission to update accounts anyway. It did however lead to an issue where the permissions were needed to update your own profile which in itself was a vulnerability. This is what has been fixed.