Responsible Disclosure-Insecure Direct Object Reference

Inbox x

Nikhil Srivastava

<mr.nikhilsrivastava@gmail.com>

3/15
/14

to developer
Vulnerability:
Insecure Direct Object Reference
Details:
1. Login as Administrator, make two mail boxes say A and B and start some conversations on them
respectively.
2. Make a new user and assign it a mailbox say A.
3. Now go to mailbox B, access any conversation and edit the conversation. Type anything and click on
save changes. Intercept the request using burp interceptor and make a note of following parameters. The
request will be like below
POST /conversation/24590338/thread/56671219.json HTTP/1.1
Host: secure.helpscout.net
User-Agent: snip..
Accept: application/json, text/javascript, */*; q=0.01
snip..
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://secure.helpscout.net/conversation/24591057/7/
Content-Length: 48
Cookie: PHPSESSID=jtj4f3skhs5u2g8o1sp8d20i01; blawblaw
id=56671219&text=haha+text+has+been+added&mode=1
This request containing two Parameter values,
i) mailbox id i.e. 24590338
ii) conversation id i.e. 56671219
4. Now logout from the Administrator account and login to the user account.
5. Access the assigned mailbox i.e. mailbox A and edit the conversation. Input anything and click on save
changes. Intercept the request, Now modify the mailbox id and conversation id of the request with the one
mentioned in STEP 3. Like below
POST /conversation/24590338/thread/56671219.json
id=56671219&text=haha+text+has+been+modified&mode=1
*changes have been made mentioned in bold,italic and underlined character and numbers.
6. Now submit the request and check the response. The request got completed successfully and content
have been added to the conversation which user don't even have access to. For proof login with
administrator account and access to mailbox B.

Developer Support

to me
Hello there,

<developer@helpscout.net>

3/18
/14

Thank you for reporting this security issue to our engineering team. We have received your report and
will reply to this email when the issue has been processed. Please keep the following rules in mind
while we process your report:
1. We are only able to provide a bounty to the first person that discovers and reports the
issue. For this reason, we always process them in the order they are received.
2. To be eligible for a bounty, you must not share any specifics about the issue publicly
or with any third party until we have had the time to process and reply to your request.
Thanks again for your assistance, someone from our team will be in touch soon regarding your report.
-Denny Swindle
developer@helpscout.net
http://developer.helpscout.net/

From: Nikhil Srivastava <mr.nikhilsrivastava@gmail.com>

Date: March 15, 2014 6:09:25 AM EDT
To: Developer Support <developer@helpscout.net>
Subject: Re: Responsible Disclosure-Insecure Direct Object Reference
{#HS:24688461-82339#}

Developer Support

<developer@helpscout.net>

5/22
/14

to me
Hey Nikhil,
Thanks for reporting this issue! I'm so so sorry for the delay involved. We still have not deployed the
fix (please to not publicize the issue), but I wanted to go ahead and award the bounty and give you
appropriate credit. I will update your existing record in our HOF.
Please let me know the following information so that we can properly thank you for the assistance:
1- Confirm your PayPal email address for payment. We've decided on a $100 payment for this issue.
-Nick Francis
developer@helpscout.net