InVision: Deleting a Project for which the user is not owner but a normal member

ID H1:85401
Type hackerone
Reporter sarwarjahan
Modified 1970-01-01T00:00:00


A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project.

Pre-Requisite: A project where current user is just a low privilege member

Steps: 1. Login to Invision 2. Navigate to My Projects page Observe that the project for which the current user is not owner, he does not have the delete option 3. ███████ 4. ████████ 5. ████████ 6. Forward the request to server

Result: The low privilege Project Member successfully deletes the Project for which only the project owner is privileged to delete the project.

Please Watch the PoC video for detailed steps and proof. PoC Video: ████████