Monday, September 18, 2017

Authorization bug which I discovered in Prezi

Prezi allows you to create cool presentation, which you can later share with your audience. It also allows you to add collaborator who can assist in your presentation creation
I started testing Prezi for security vulnerabilities (bugbounty.prezi.com) and found an Authorization bug which allowed me to Add/Delete/Modify Collaborator for any public prezi which were not even mine.

Vulnerable Request:
While adding collaborator to your prezi presentation, below PUT request is fired
PUT /api/v1/share/<presentation_id>/permissions/ HTTP/1.1
Host: prezi.com
Connection: close
Content-Length: 60
User-Agent: <User agent string>
Origin: https://prezi.com
x-csrftoken: <csrf_token>
content-type: application/json
Accept: */*
Referer: https://prezi.com/dashboard/next/
Accept-Language: en-US,en;q=0.8
Cookie: <Cookie for attacker@gmail.com>

{"email":"attackerNewIdOrRealCollaborator@gmail.com","permission":"viewer"}

Explanation of above request:
1) <presentation_id> is Victim’s presentation
2) attacker@gmail.com: Attacker who is firing the above request
3) attackerNewIdOrRealCollaborator@gmail.com: It can be either Attacker id or a genuine collaborator of this presentation with editor rights.

What happens:
1) If Attacker used his own id in the body parameter, then he would become part of the presentation <presentation_id> without victim permission.
2) If Attacker used a genuine collaborator id having editor rights, then after firing this request, the collaborator permission would lower from editor to viewer only
3) If Attacker, simply changes the above request header from PUT to delete then any collaborator (except owner) passed within body parameter would get deleted from that presentation
4) This attack worked only for public prezis (and not for private prezis) because they are somewhat special - everyone has view permissions by default, although they are not collaborators of it (people who are explicitly added to view/edit the prezi). The vulnerable endpoint unfortunately considered this "default view permission" as a "collaborator permission", which allowed you to add anyone else as a view collaborator. This "collaborator privilege" enabled you to lower the existing collaborators' permission to view level by re-adding them.



I reported the same to Prezi which was fixed fast and Prezi rewarded a nice bounty :)

3 comments: