Wednesday, October 9, 2013

Hijack User accounts via cached Invite links! #Asana #bugbounty

A few weeks back a friend of mine mentioned to me about Asana's bug bounty program. Although I did not see any mention of reward money in their security page I still thought of giving it a try. After reading a little about the company I found that www.asana.com is a portal where a team can share the resources and organize its work i.e. kind of a project management software.
I created an account and started poking around and checked for obvious vulnerabilities such as XSS and CSRF. The application appeared to be decent but there was always some scope for a few logical vulnerabilities.
The application allowed creation of new projects followed by addition of new users by sending them invite links.
These invite links looked like these (https://app.asana.com/app/asana/-/register?invite=XXXXXX), so I thought of trying my luck with these links.


By using a few Google dorks I was able to get a list of invite links which were cached by Google and to my surprise they were still active. 


 So I collected a list of cached invite links and tried creating an account and voila!! it worked smoothly as I expected. I was able to login into a valid user account by creating a new password. 





I reported this issue to asana security team and they were very quick in responding to my emails. The issue got fixed within no time and they rewarded me for the same.

3 comments: