Participation of expired account holders in Projects can occure financial loss to Mavenlink
State Resolved (Closed)
Disclosed publicly 2018-09-09T09:18:00.636Z
Reported To
Weakness Insecure Direct Object Reference (IDOR)
Bounty $200
Collapse


Timeline
submitted a report to Mavenlink .
2017-08-18T00:03:13.820Z

I think I have found a security issue .

Summery:

Inviting a person to Project who has an expired account can participate in project activity via email address , Which is against Mavenlink's business policy , As after an account has been expired after trial period they need to buy a plan to access all the features .

Issue Background:

As we know on signing up , Mavenlink Offers a Trial account of a limited period , where users can check out all the features and gets a basic understanding how Mavenlink works . However after the trial period is over for a free account , Upon logging in to the actors account he gets a message like this and it's not possible to access anything at all as this comes every time .

Screenshot_462.png (F213824)

So , If user does not chooses a plan he actually can not access this account now , Trying to navigate to any section brings to

https://app.mavenlink.com/settings/account/subscription?showPlansPricing=true

Where Mavenlink prompts user to select a plan to continue using the features of the application . However If someone creates a project and invites the expired account holder , he receives and email that he has been invited to the project . when he tries to open it he can not access this as I have mentioned the application lands to the same page and prompts to buy a plan . however if the expired account owner replies the email , a comment is placed at the project . particularly when any post is made on the project timeline that expired account holder receives an email , and replying that email he can participate in the conversation without any problem . wheres if the expired account holder tries to access the project with direct link he can not and land on the same page again where he needs to choose a plan to move forward with Mavenlink .

So , an actor can post comment/ participate in conversations via email when he actually does not have access to that due to Mavenlink's business policy via the application . Which seems the actor is getting more access / privilege more than he should get , and that is why I belief this is a security issue .

Proof Of Concept:

  • Create a project with your Mavenlink Account .
  • Invite the person whose account status is expired .
  • Add him as a consultant
  • He will receive an email which is associated to his Mavenlink account .
  • He will try to navigate for the link received via email to see the project .
  • The attempt would be unsuccessful due to Mavenlink's policy .
  • As the application will not let the actor to access before he selects a paid plan .
  • Now create a post from your account
  • An email will go to that expired users address .
  • he replies the email
  • and comment gets posted on behalf of him .
  • But he actually cannot get access .

The user is getting the privilege to participate in a project what he could have after selecting a paid plan , he can make comments by simply replying the email he received , unethical actors may take advantage of this current behavior which will eventually affect Mavenlink financially . As the user can perform this action without selecting a paid plan .

I am attaching a video demonstration . Hope you will investigate this and get back with an update ,

Sincerely ,
Rashed

Regards,
Frans

jackwilsonv Activities::Comment
2017-08-18T20:42:16.098Z
Thank you for contacting us about this, @rashedhasan007. We are investigating this report and will get back to you soon. In the meantime, can you confirm that the only action you are able to take with the deactivated account is to receive post emails and reply to them? (i.e. access other areas of the project like Tasks, Files, Gantt, or Proofs and no ability to further invite users to the project) Thanks, Jack


rashedhasan007 Activities::Comment
2017-08-19T10:38:14.504Z
Hi Jack , Thanks for the follow up - being very frank I have been testing Mavenlink for quite a while and in the process I have created quite a few test accounts , So , as you wanted to know if its possible to access other areas with an expired account or not , yes the only confirmed action possible is to receive post emails and reply to them . I have tested this with combining new and my old test accounts (which are expired ) and I can confirm that no other feature is accessible, not even you can go to email settings etc , for your inquiry I have tested this with a new pair off accounts keeping both of the screen side by side and the result is as anticipated . F214161 for a expired account when I am inviting him , he receives an email to see the project , he can not even access that , as the "Select A plan " prompts . for all the areas of his account he only gets back to https://app.mavenlink.com/settings/account/subscription?showPlansPricing=true , even from his account clicking on the project does not work . however I did notice it was possible to go to https://mavenlink.zendesk.com/hc/en-us/articles/204226220-Mavenlink-Changelog http://go.mavenlink.com/mavenlink-premier-consultation from the Support tab , however these are not any functional part of the account . check the video for better understanding Thanks, Rashed


rashedhasan007 Activities::Comment
2017-09-02T21:50:24.404Z
hi there , its been a while . any update on this issue ?


jackwilsonv Activities::Comment
2017-09-06T22:20:09.402Z
Hey @rashedhasan007, I have a PR open that fixes this issue, sorry for the delay. I'll update the ticket once I get it merged and deployed. Thanks, Jack


jackwilsonv Activities::Comment
2017-09-11T20:41:32.583Z
Hey @rashedhasan007, This should be fixed now. If you could please verify the fix I'll get the ticket updated here shortly. Thanks, Jack


rashedhasan007 Activities::Comment
2017-09-11T21:26:27.240Z
Hi @jackwilsonv , Unfortunately the issue has not yet been fixed , the expired account holder still gets invited when I am inviting him by email , he gets post updates on project timeline via email and when he makes a reply , the comment gets posted on that post . I have tested this multiple times and I can still reproduce the issue despite that expired account holder cannot access those projects , check the video I have attached . hope you will look into this Thanks , Rashed


jackwilsonv Activities::Comment
2017-09-11T21:42:46.821Z
Hey @rashedhasan007, Would you mind providing the email address of the expired account holder and the id of the workspace that you are using to test this? Jack


rashedhasan007 Activities::Comment
2017-09-11T21:49:11.224Z
Hi Jack , Sure the workspace I showed on my video poc : https://app.mavenlink.com/workspaces/17583535/ and the expired account holder Mavenlink Login details Richard Martin Email : [email protected] Password: Whatdoyoumean00! If you want you can log into my test expired account and check the issue .


jackwilsonv Activities::Comment
2017-09-11T21:53:53.319Z
Excellent, thanks @rashedhasan007. I'll check these out and get back to you shortly.


rashedhasan007 Activities::Comment
2017-09-11T21:55:17.777Z
Sure , I will be waiting for updates . cheers !


jackwilsonv Activities::BugTriaged
2017-09-14T18:10:20.575Z
@rashedhasan007, Quick update, I have another PR which addresses this and adds "expired" accounts into the scope. Should be merged in the next day or so. Jack


rashedhasan007 Activities::Comment
2017-09-14T18:19:39.769Z
Glad to know that , when this is fixed let me know , I will re - confirm using an expired account .


rashedhasan007 Activities::Comment
2017-09-27T12:11:40.321Z
Hey there @jackwilsonv any update about this , has it been fixed ?


jackwilsonv Activities::Comment
2017-09-27T21:07:43.343Z
Yes, this should be fixed now. When you get a chance to verify it, we'll get it resolved & bounty paid. Thanks! Jack


rashedhasan007 Activities::Comment
2017-09-27T22:11:07.218Z
Hey there Jack , This seems to be fixed ! When I am inviting a expired account holder he does not receive any email that he has been added , again posts made on project feed are not sent by email so no scope for replying them . however the expired account holders are added into those project at the web application (which can be viewed in their project section ) but they don't have any access to it unless they upgrade their account . so from both sides they are restricted now , which seems to be a good implementation . I confirm the issue has been fixed . Nice Job


jackwilsonv Activities::ReportSeverityUpdated
2017-09-27T22:27:34.986Z


jackwilsonv Activities::BugResolved
2017-09-27T22:27:52.396Z
Great! Thanks for verifying, @rashedhasan007! Jack


Activities::BountyAwarded
2017-09-27T22:29:37.566Z


rashedhasan007 Activities::Comment
2017-09-27T22:40:14.110Z
Thanks for the bounty Mavenlink ! :) however I would humbly like to know if the severity may have been more rather in the last stage of medium or first stages of high severity , As it was resulting direct interaction of a restricted user who was using a service for free for a particular module , I would politely request if this can be viewed from that perspective and reconsider about an increased bounty amount .


jackwilsonv Activities::Comment
2017-09-28T00:13:43.720Z
When I changed the severity I used Hackerone's tool. I think I agree with the output there for a couple reasons. While it may have resulted in a customer getting some free service from us, that service (posting and receiving posts) is only a very small part of the entire application's functionality and was restricted to email interaction only (a format that I think most people find rather tiresome :) ) As we're still a pretty small company our payouts for low severity bugs is generally 100 but I bumped it to 200 for you because you were so helpful in verifying the fix (and pointing out that it wasn't fixed the first time!) As we grow and become more popular, we hope to be able to pay larger bounties to researchers like yourself :) Thanks again! Jack


rashedhasan007 Activities::Comment
2017-09-28T05:15:37.435Z
I understand :) Jack , No worries . Thank you for making it clear . Your hospitality and co operation is appreciated :)


rashedhasan007 Activities::AgreedOnGoingPublic
2018-08-10T09:17:56.231Z
If possible I would like this finding to be publicly disclosed :)


Activities::ReportBecamePublic
2018-09-09T09:18:00.667Z