Dropbox Acquisitions: Privilege Escalation at invite feature @hackpad.com

ID H1:47932
Type hackerone
Reporter daksh
Modified 2015-04-04T04:30:02



I would like to report Privilege Escalation @hackpad.com's Invite feature.

Description :

Hackpad allows admin of the workspace to add/invite users for admin/member/guest etc roles. I can able to grant that access to any one with just one click.

Attack Scenario:

Lets say you have workspace named attacker.hackpad.com and you want to be a member of victim.hackpad.com

Steps to reproduce:

1) Login in attacker.hackpad.com and visit victim.hackpad.com . You ll get error message like

<b>EMAIL</b> - is not a member of WORKSPACE.<br/><br/> You can <a href='/ep/invite/request-to-join?uid=UID'>request to join</a>.

Copy that UID and request like :


Actually this UID is of victim's workspace but we are sending this to our own workspace email.

Finally you ll get email with :


If you open this link in attacker's account it ll say "The user is already member of this workspace " :/


Now change the domain name to vicitm's one like :


And send this to victim via email or clickjack him or anything. When he ll open this link Our attacker's account ll get the access of the site. You can check it over here :


Lemme know if you need any help.

Regards, Daksh Patel