IDOR to Partial Access and ACCOUNT TAKEOVER in a Top 5 Cloud Storage Platform
بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ
This is my first write-up, so let’s make it count. During routine testing, I discovered an IDOR vulnerability in a top-tier cloud storage platform. By exploiting a vulnerable parameter in the desktop application’s download process, I was able to gain partial access to any user’s account and disclosed their emails. But the real kicker? This vulnerability could be escalated to a full account takeover by exploiting password reset mechanism.
The Discovery: A Parameter in the Plain Sight
It all started with a simple observation. While testing the platform’s desktop application download process, I noticed something unusual in the download link:
https://www.redacted.com/win32/install.exe?userid=************The userid parameter immediately caught my attention. Not only was the server including the user's ID in the download link, but the format of the ID raised even more concerns. Instead of using a UUID or a more secure token, the userid was a weak combination of small letters and numbers, making it possible to guess or enumerate. This led me to wonder: what would happen if I changed it to another user's ID?
Testing the Hypothesis
I created two test accounts:
- Attacker Account: User ID:
attacker - Victim Account: User ID:
victim
I downloaded and installed the application swapping both ids. To my surprise, the application logged me into the victim’s account without asking for email or password, which would typically occur when the app is installed without the userid parameter.
After this and further investigation, I identified another way to acquire valid userid values: By leveraging group invitation functionality, I could send an invitation to the victim. When they accepted, I removed them from the group and intercepted the request, which revealed their userid.
Understanding the Scope
While I had access to the victim’s account and the email associated with it, it was partial access I could only upload files to the victim’s storage.
This was still a significant security risk, but I wondered: Could this vulnerability be escalated further?
Escalation: From Partial Access to Full Account Takeover
The platform has a very unique password resetting mechanism, which is uploading the user key, a lengthy hashed key based on the account ID and the last 4 digits of the credit card used in the account. Always when something is new or customized test it or take advantage of it.
While the initial vulnerability allowed for limited unauthorized access I could say a one-way access from my account to the victim’s storage — I discovered a way to escalate it into a full account takeover. This escalation relied on two critical components:
The user.key File:
The desktop application contains a file called user.key, which holds cryptographic keys required for certain account operations. By exploiting the IDOR vulnerability, an attacker can obtain this file from the victim’s account. The key within this file looks like this:
The Password Reset Mechanism:
The service allows users to reset their password using the user.key file and the last 4 digits of their credit card. With only 10,000 possible combinations, an attacker can brute-force this value from multiple accounts and reset the victim’s password.
The Full Attack Chain
To summarize, here’s how an attacker could achieve a full account takeover:
- Obtain the Victim’s User ID:
The attacker can acquire the victim’s user ID through reconnaissance, brute force, or by removing the victim from a group after they accept an invitation. - Exploit the IDOR Vulnerability:
The attacker downloads the application using the victim’s user ID, gaining initial access to their account and retrieving their emails. - Download the user.key File:
The attacker retrieves theuser.keyfile from the victim’s account, which contains critical cryptographic keys. - Brute-Force the Password Reset:
Using theuser.keyfile, the attacker brute-forces the last 4 digits of the victim’s credit card and resets their password. - Take Over the Account:
With the password reset, the attacker gains full control over the victim’s account.
Thanks for reading
ٱلۡحَمۡدُ لِلَّهِ رَبِّ ٱلۡعَٰلَمِينَ
