Broken Access Control leads to full team takeover and privilege escalation

Abdelhameed Ghazy
3 min readOct 12, 2022

--

Hello all,

Today I will share one of the most finding that I was interested in while finding it.

Our target provides teams with two privileges member and admin.
the team had some sensitive data like credit cards

After testing the functions I went to invite users function

the admin is the only one who can invite new members to the team

as you see there is a request to a Graphql with Cookies and Authorization header in the request
and the request parameters :

1- account id that holds the team id
2- inviteeEmailAddress: the email address of the user that will be invited
3- inviterId: the id of the admin of this team
4- roleName: it can hold between two values ( member or admin )

The first thing i tried is to remove the cookies and then the authorization header and I notices that the server responded with 200 ok and the request was processed successfully

the modified request without authentication or authorization element

and I received the invitation to my email successfully

so now we know that the request depends on the parameters only

There are two attack scenarios :

1- Privillige Escallation

as a member of the team, i can see the team id

so I only need to get the inviter id ( admin id )

but how can I get this user id ???
first, I found the admin email in the members section on the team page

so I started thinking about how to interact with him so the id may be Leaked in any request
Note that there are no public profiles for any user
after some digging, I decided to invite the victim user to join my team (hacker team )

After I sent an invitation to the victim account to join my team ( Hacker Team)

I noticed that his membership is pending for his confirmation then after I go through the burp suite history I found a request to get the team data so I repeated this request again and boom I found the victim id

note that I got the victim's id without any interaction from him

and then I sent the invite request again with the required parameters

finally, i received the invitation to my email and after accepting it I became an admin and take over the victim team with zero clicks from him

--

--