SaaS Provider Fixes Vulnerability
Tuesday, September 1, 2015 @ 05:09 PM gHale
Software-as-a-Service provider (SaaS), Smartsheet, patched a vulnerability an attacker could leverage to hijack user accounts.
Bellevue, WA-based Smartsheet provides work management and collaboration solutions in a cloud app sees use by over 65,000 businesses and 5 million users across 175 countries.
Clifford Trigo, a security consultant based in the Philippines, uncovered an insecure direct object reference vulnerability an attacker could exploit to hijack user accounts via Smartsheet’s “import users” feature.
Trigo reported the flaw to Smartsheet via the company’s private bug bounty program. Smartsheet patched the vulnerability and gave the researcher $2,000. The researcher disclosed the details of the flaw over the weekend.
“The bug is clearly an insecure direct object references which again, allows anybody to hijack Smartsheet accounts without user interaction,” Trigo said on his blog post.
“As part of my testing methodology, access control vulnerabilities are the first on my lists. I registered two (2) accounts for testing purposes where account 1 served as the attacker while the other is the victim account,” he said.
Insecure direct object references exist when a web application uses the actual key of an object when generating web pages without ensuring users cannot access other objects than their own. An attacker who has an account on the targeted application can exploit the vulnerabilities to access other users’ accounts simply by changing the value of a parameter that directly points to a system object.
The vulnerability existed in the “Import Users” feature in the application’s “User Management” page. The feature allow customers to import users from CSV files and assign roles to those users (e.g. system admin, group admin, licensed user, resource viewer). However, there was no check in place to verify the user requesting the import had the right privileges.
An attacker could have exploited the flaw by initiating a normal user import process and intercepted the request sent to the server. This request contained a parameter (“param1”) whose value was the user’s ID. By simply changing the value of this parameter to the ID of a different user, an attacker could have imported his own user details to the targeted account and obtain all permissions.
DJ Hanson, director of information security at Smartsheet issued this statement found on Trigo’s blog post.
“Speaking as Director of Information Security @Smartsheet, we are grateful to Mr. Trigo for his continuing research on our platform, and the professional manner in which he conducts his responsible disclosure practices. The nature and pattern of this particular issue is such that we are able to conclude that this vector was never exploited by anyone other than Mr. Trigo, working against two accounts under his direct control. Within 4 hours of being made aware of this, our security, operations, quality assurance, and development teams deployed an update to our platform, eliminating the flaw.”