Member-only story

921$ Privilege Escalation: Unauthorized User Addition to Shared APP Connections

Abhi Sharma
InfoSec Write-ups
Published in
4 min readJan 20, 2024

This article is about a bug which i founded in nov. of last year which allow an low level and unauthorized user to add a new user in shared app connection which give access to confidential data to unwanted user and affecting the integrity of the platform.

Understanding Target

Exapier, a platform that facilitates easy automation, connects various apps to automate workflows. Shared app connections, such as those with Google Drive, are pivotal for collaborative and efficient operations.

Bug Discovery

A flaw in Exapier’s access control allows low-level users to manipulate shared connections. Unauthorized additions to connections like Google Drive pose a significant security risk, breaching expected permissions.

Before we move on, if you like my write-ups, please support me by clapping, sharing, and you can clap up to 50 times here on Medium, it’s free. Thank you.

Steps to Reproduce:

  1. Firstly the Admin added the low level user into shared app(google drive) connection. Capture this request of adding the user for later use.

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Abhi Sharma

Cybersecurity Consultant | Pentester | Bug Bounty Hunter | ContentWriter 🔗 Connect with me on https://twitter.com/a13h1_ and https://www.linkedin.com/in/a13h1/

Responses (5)

Write a response