A few weeks back a friend of mine mentioned to me about Asana's
bug bounty program. Although I did not see any mention of reward money in their
security page I still thought of giving it a try. After reading a little about the company I found that www.asana.com is a portal where a team can
share the resources and organize its work i.e. kind of a project
management software.
By using a few Google dorks I was able to get a list of invite links which were cached by Google and to my surprise they were still active.
So I collected a list of cached invite links and tried creating an account and voila!! it worked smoothly as I expected. I was able to login into a valid user account by creating a new password.
I created an account and started poking around and checked for obvious
vulnerabilities such as XSS and CSRF. The application appeared to be decent but there
was always some scope for a few logical vulnerabilities.
The application allowed creation of new projects followed by addition of new users by sending them invite links.
These invite links looked like these (https://app.asana.com/app/asana/-/register?invite=XXXXXX),
so I thought of trying my luck with these links.
By using a few Google dorks I was able to get a list of invite links which were cached by Google and to my surprise they were still active.
So I collected a list of cached invite links and tried creating an account and voila!! it worked smoothly as I expected. I was able to login into a valid user account by creating a new password.
I reported this issue to asana security team and they were very quick in responding to my emails. The issue got fixed within no time
and they rewarded me for the same.
No comments :
Post a Comment