Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerability Exposed Smartsheet Accounts to Hijacking

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet is a Bellevue, Washington-based Software-as-a-Service (SaaS) company that provides work management and collaboration solutions. The firm says its intuitive spreadsheet-like cloud app is used by over 65,000 businesses and 5 million users across 175 countries.

Clifford Trigo, a security consultant based in the Philippines, uncovered an insecure direct object reference vulnerability that could have been exploited to hijack user accounts via Smartsheet’s “import users” feature.

Trigo reported the flaw to Smartsheet via the company’s private bug bounty program on the Bugcrowd platform. Smartsheet patched the vulnerability and awarded the expert $2,000, the maximum reward offered by the company for security bugs. The researcher disclosed the details of the flaw over the weekend.

Insecure direct object references exist when a web application uses the actual key of an object when generating webpages without ensuring that users cannot access other objects than their own. An attacker who has an account on the targeted application can exploit such vulnerabilities to access other users’ accounts simply by changing the value of a parameter that directly points to a system object.

In the case of Smartsheet, Trigo discovered an insecure direct object reference that allowed malicious actors to take over millions of accounts.

The vulnerability existed in the “Import Users” feature in the application’s “User Management” page. The feature is designed to allow customers to import users from CSV files and assign roles to those users (e.g. system admin, group admin, licensed user, resource viewer). However, there was no check in place to verify that the user requesting the import had the right privileges.

A malicious actor could have exploited the flaw by initiating a normal user import process and intercepting the request sent to the server. This request contained a parameter (“param1”) whose value was the user’s ID. By simply changing the value of this parameter to the ID of a different user, an attacker could have imported his own user details to the targeted account and obtain all permissions.

Smartsheet told SecurityWeek that it has conclusively determined — based on its analysis of the attack method and the evidence it leaves — that the vulnerability was never exploited in the wild.

“We are grateful to Mr. Trigo for his continuing research on our platform, and the professional manner in which he conducts his responsible disclosure practices. The nature and pattern of this particular issue is such that we are able to conclude that this vector was never exploited by anyone other than Mr. Trigo, working against two accounts under his direct control. Within 4 hours of being made aware of this, our security, operations, quality assurance, and development teams deployed an update to our platform, eliminating the flaw,” stated DJ Hanson, director of information security at Smartsheet.

“We can unequivocally state that there was no disclosure or impact to any customer accounts or data. It is our view that openly rewarding and celebrating the findings of well-intentioned researchers is an essential part of a healthy and mature security program. We have been very impressed with the work and quality of the researchers @Bugcrowd and hope to continue our relationship with them and their community of professionals,” Hanson added.

Earlier this month, Trigo reported finding two cross-site scripting (XSS) vulnerabilities in Square Appointments, an online appointments systems for business owners introduced recently by Square.

*Updated with statement and additional information from Smartsheet

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.