Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability Exposed Smartsheet Accounts to Hijacking

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet is a Bellevue, Washington-based Software-as-a-Service (SaaS) company that provides work management and collaboration solutions. The firm says its intuitive spreadsheet-like cloud app is used by over 65,000 businesses and 5 million users across 175 countries.

Clifford Trigo, a security consultant based in the Philippines, uncovered an insecure direct object reference vulnerability that could have been exploited to hijack user accounts via Smartsheet’s “import users” feature.

Trigo reported the flaw to Smartsheet via the company’s private bug bounty program on the Bugcrowd platform. Smartsheet patched the vulnerability and awarded the expert $2,000, the maximum reward offered by the company for security bugs. The researcher disclosed the details of the flaw over the weekend.

Insecure direct object references exist when a web application uses the actual key of an object when generating webpages without ensuring that users cannot access other objects than their own. An attacker who has an account on the targeted application can exploit such vulnerabilities to access other users’ accounts simply by changing the value of a parameter that directly points to a system object.

In the case of Smartsheet, Trigo discovered an insecure direct object reference that allowed malicious actors to take over millions of accounts.

The vulnerability existed in the “Import Users” feature in the application’s “User Management” page. The feature is designed to allow customers to import users from CSV files and assign roles to those users (e.g. system admin, group admin, licensed user, resource viewer). However, there was no check in place to verify that the user requesting the import had the right privileges.

A malicious actor could have exploited the flaw by initiating a normal user import process and intercepting the request sent to the server. This request contained a parameter (“param1”) whose value was the user’s ID. By simply changing the value of this parameter to the ID of a different user, an attacker could have imported his own user details to the targeted account and obtain all permissions.

Advertisement. Scroll to continue reading.

Smartsheet told SecurityWeek that it has conclusively determined — based on its analysis of the attack method and the evidence it leaves — that the vulnerability was never exploited in the wild.

“We are grateful to Mr. Trigo for his continuing research on our platform, and the professional manner in which he conducts his responsible disclosure practices. The nature and pattern of this particular issue is such that we are able to conclude that this vector was never exploited by anyone other than Mr. Trigo, working against two accounts under his direct control. Within 4 hours of being made aware of this, our security, operations, quality assurance, and development teams deployed an update to our platform, eliminating the flaw,” stated DJ Hanson, director of information security at Smartsheet.

“We can unequivocally state that there was no disclosure or impact to any customer accounts or data. It is our view that openly rewarding and celebrating the findings of well-intentioned researchers is an essential part of a healthy and mature security program. We have been very impressed with the work and quality of the researchers @Bugcrowd and hope to continue our relationship with them and their community of professionals,” Hanson added.

Earlier this month, Trigo reported finding two cross-site scripting (XSS) vulnerabilities in Square Appointments, an online appointments systems for business owners introduced recently by Square.

*Updated with statement and additional information from Smartsheet

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.