Coda: Unrestricted access to any "connected pack" on docs

ID H1:777942
Type hackerone
Reporter 0xcrypto
Modified 2020-04-14T22:42:49



When adding a pack, a post request is sent to[doc ID]/packs with data {"packId":[pack Id]} where doc ID is the id of doc user wishes to add pack and pack ID is the pack user wants to install. But this request is unrestricted and the user can iterate over packId to get any free/pro/disabled pack.

Steps To Reproduce:

  1. Capture the post request while installing any pack using a proxy like Burp when you are logged in.
  2. Change packId to desired pack's ID. A valid packId gives a 200 status and invalid gives 400.

The below post request contains packId of Google Translate Pack which is a pro pack.

``` POST /internalAppApi/documents/F5Y1qJ3aw-/packs HTTP/1.1 Host: Connection: close Content-Length: 15 Accept: application/json Origin: X-Csrf-Token: InEwS0Z2U21xR09JUDI2Qkwi User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Content-Type: application/json Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Referer: Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: / Your Cookie /

{"packId":1063} ```

Sending the request should return a 200 OK. Check the doc, the pro pack is installed.

This doc created by uses Google Translate pro pack without upgrading. Installing the pro pack gives a 14 days warning. I am not sure if it will expire and become read only.


Allows anyone to use paid functionality for free causing loss to business.