Untitled

Title:         Force a user to join your team
Weakness:      Cross-Site Request Forgery (CSRF)
Severity:      No Rating
Link:          https://hackerone.com/reports/193053
Date:          2016-12-21 12:52:55 +0000
By:            @exception

Details:
Hi Mr @raaghavs

I have another csrf here.

Hellosign offers Team member adding for premium accounts , free accounts can not add team members.
When a premium account invites a user , a link for the invtiation is sent to the invited user.

Now if the invited user logged in his account , he is offered a form to determine if he will accept the invitation or cancel it .
{F145796}
If the user clicked Accpet , An HTTP Get request is issued to
`https://www.hellosign.com/account/confirmTeamInvite/guid/___GUID__Value___/does_accept/1`
With no csrf token implemented.


Now if the team admin made the invited user visits a page contains a link of the invitation , he will force the user to accept the invitation.

#Vulnerable Url
```
https://www.hellosign.com/account/confirmTeamInvite/guid/___GUID__Value___/does_accept/1
```

```
<html>
<!-- The page wihch the victim will visit -->
<img sc=`https://www.hellosign.com/account/confirmTeamInvite/guid/___GUID__Value___/does_accept/1`  />
</html>
```

#reproduce
1- Log into premium account
2- Pick another account
3- invite the second account (this required to get the `guid`  value)
4- invite the victim user
5- Log in the second account
6- navigate to team area, you will see the invitation form,click accept
7- Capture the request using proxy or developer tools in chrome or firefox
8- Send the link to the victim user
9- When the victim visits the link , he will be forced to join your team


#Fix
- You should implement a csrf token


Happy Fixing
Best Regards


Timeline:
2016-12-22 02:03:18 +0000: @raaghavs (bug needs more info)
@exception - Can you share a working video POC? We are unable to reproduce the issue. The guid randomly generated as part of the team invite is tied to the e-mail account of the team member being added and would fail if executed by anyone else. Also, in order to fetch the correct guid you would need access to the victim's e-mail/hellosign account, so I would assume it would not be feasible to perform a CSRF attack in this case. Please share a video POC if you disapprove and have found a way of exploiting this via CSRF.

FYI @nealomara  and @anshu

---

2016-12-22 19:25:44 +0000: @exception (bug new)
Check the attachments ,I already sent a poc , in this poc first I invited my second account in order to get guide parameter , second I invited the victim then logged in my second account and fetched for the guide parameter and inserted in my html code and made the victim visits my code , and it worked.

---

2016-12-22 19:40:07 +0000: @raaghavs (bug needs more info)
@exception - Are your second account and the victim account two different accounts?

---

2016-12-26 00:16:53 +0000: @exception (bug new)
Yes , they are different.
Here is a [youtube video ](https://www.youtube.com/watch?v=rNishWTLkLM&feature=youtu.be) , in this video i used
- `gersy.ch2@gmail.com` as attacker premium account
- `attacker-acc-2@yopmail.com` as attacker second account (to get the guid par)
- `victim-acc-1@yopmail.com` as a victim
- `thejextrix@gmail.com` as additional victim

I was able to force the two different victims to join my team using one single guid grabbed using my second account `attacker-acc-2@yopmail.com`.

---

2016-12-30 12:59:10 +0000: @exception (comment)
Do you face any reproduce-difficulties ? or any update?

---

2017-01-25 11:51:57 +0000: @exception (comment)
Hi Mr @raaghavs

I still see this as a valid report , and this issue requires attention
I opened my account `reflected.way@gmail.com` and invited the following emails

```
xchrome@yopmail.com	       (Invited)	0	Remove
xfirefox@yopmail.com	       (Invited)	0	Remove
face@yopmail.com                (Invited)	0	Remove
reflected.way@gmail.com     Admin
xedge@yopmail.com	      Member
xopera@yopmail.com	      Member
```
then i opened one of those accounts to fetch the `guid` parameter to use against other accounts to force them to join my team , can you try to log in with one or more of these accounts to try the poc it will work with all accounts

```
xchrome@yopmail.com:y1a2s3s4
xfirefox@yopmail.com:y1a2s3s4
face@yopmail.com:y1a2s3s4
```
- Just visit this url after loggin-in ,  and you will see the account is forced to join the team
`https://www.hellosign.com/account/confirmTeamInvite/guid/8105d4ddb7aeb347c9936385b4b858abb355d0b2/does_accept/1`


---

2017-02-14 03:50:33 +0000: @raaghavs (bug needs more info)
@exception - Does this happen only if you invite the victim and then get the victim to click on this confirmTeamInvite URL?

---

2017-02-16 11:22:22 +0000: @exception (bug new)
The victim must visit the url (GET or POST) in order to exploit.

So If a victim is logged in and visited any webiste containing the following code
```
<img src='https://www.hellosign.com/account/confirmTeamInvite/guid/8105d4ddb7aeb347c9936385b4b858abb355d0b2/does_accept/1' />
```
The invitation will be accepted.
It will work in all these cases
  - Visiting the url directly through the browser
-  Visit a web page contains the link as image , form , script or any other method that forces the browser to issue a request to the vulnerable url.

Conditions to exploit
- The victim must be logged in
- The guid parameter must be grabbed from another victim account ( attacker's 2nd account)

---

2017-06-20 16:02:10 +0000: @raaghavs (bug needs more info)
@exception Are you still able to see the issue? We have not been able to successfully reproduce the issue.