🟩Logic flaw led to a $$$ privilege escalation

The docs says that bot accounts can’t, but users can. Convert the user to a bot, and now this bot can.

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

So, let’s get to it. Today’s story is about a very simple privilege escalation that took 31 days to be triaged by Bugcrowd (and idk why the fk that happened). Anyway, it’s about the scam program team-manager.cloud that I mentioned previously.

After digging deeper into their docs, I found a feature called bot accounts. These accounts can do some actions and can't do another actions.

Bot accounts:

Similar to user accounts but can only be used via the RESTful API.

One of the functions bots can’t use:

Manage slash commands: Configure custom messages after the / character that trigger HTTP requests to a web service when typed in the chat.

I also discovered an interesting function that allows converting any user into a bot.

After knowing all this, a simple scenario should come to your mind:

What happens if I create a user, convert it to a bot, and then check if the bot can use those restricted functions or not?

After testing this flaw with all the functions that bot accounts can’t use, it worked with slash commands. Here are the full steps:

System Admin:

Invites the attacker to his team with a member role.
Turns on the permission for managing slash commands for member role users.
Converts the attacker’s user account to a bot account.
Creates an access token to let the attacker use his new account via the API.

Attacker (converted user to bot):

Crafts a POST request to create a slash command → 201 Created.

Bugcrowd triaged it as a P3 (after 31 days!). The internal team later downgraded it to a P4.

I really don’t give a fk xD

PreviousH4ck1ng the Same App for a Month -> $$$$NextIs It Just About Replacing IDs? (I Guess Yes)

Last updated 5 months ago