Beyond Error Messages: Super Admin Deletion due to Broken Access Control (€€€)
Hi, Fellow Hunters, Ram Ram Bhyi Sarya Ne
Hope you are doing well and taking care of your health, this side V3D. I am writing a quick write-up of one of my findings.
Issue: Broken Access Control
Weakness: Improper Access Control — Generic
Note: It’s a private Bug Bounty Program, so I can’t disclose the program name, let’s consider this as REDACTED.COM
Without any further ado... Let’s Start…
I started hunting on this program and checking its functionality so as I mentioned in my recent write-up ( Here ) If you have not read it yet please do read it. While hunting on this program I see there is team functionality, and it’s one of my favourite parts to check.
So for this, I quickly created Two Accounts.
Account A
Account B
In this application, there are two different roles called Privileges Profile which are:
- Administrator
- Staff Member
Administrator: It has all the admin privileges, Like Invite staff member, Invite Administrator, Remove/Delete Administrator/Staff Member but it doesn’t have the privilege to delete or remove Super Admin.
Staff Member: Staff-related work like creating tasks, modifying tasks etc. But don’t have the privilege to invite or remove anyone.
Hope you understand the Role’s Privilege
It’s time to check the functionality
Account A (Super Admin) invited Account B as an Administrator.
Account B accept the invitation, but he/she doesn’t have the privilege to delete “Account A/Super Admin”
Let’s exploit
Now Account A, remove Account B
Account B was removed successfully
But when I check Account B, it still has all the access now I try to create any task but it throws me an error “System Alert: Problem when retrieving the data”
But in Settings, there is an option for Team, under the Team option there is an option for “Privilege profile”, When I click on this option it shows two profiles one is Account A (Super Admin) and the other is Account B (Invited Account).
Both accounts have an action tab while I click on it, it shows 3 options:
1) Edit
2) Duplicate
3) Delete
So here I try to Delete Account A (Super Admin) it throws me an error “You do not have the privileges to access this resource” However when I go to Account A (Super Admin) its privilege of super admin is deleted and also Account A is no longer able to invite any other user as “Administrator role”
Account A (Super Admin) is now a regular member (Staff Member)
In this way, by checking what functionalities a user cannot perform and trying to break it often leads to a bug.
Hope you found this writeup helpful.
Tip: Never Forget To Check Functionality, there is a huge scope for finding bugs in Functionalities
Timeline:
Report Sent: 10–05–2022
Bounty Rewarded (€€€): 10–05–2022
Hope you learned something new. If you liked the write-up give it a clap and follow me on Twitter V3D
