Connect with us

Hi, what are you looking for?



Vulnerability Exposed Smartsheet Accounts to Hijacking

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet is a Bellevue, Washington-based Software-as-a-Service (SaaS) company that provides work management and collaboration solutions. The firm says its intuitive spreadsheet-like cloud app is used by over 65,000 businesses and 5 million users across 175 countries.

Clifford Trigo, a security consultant based in the Philippines, uncovered an insecure direct object reference vulnerability that could have been exploited to hijack user accounts via Smartsheet’s “import users” feature.

Trigo reported the flaw to Smartsheet via the company’s private bug bounty program on the Bugcrowd platform. Smartsheet patched the vulnerability and awarded the expert $2,000, the maximum reward offered by the company for security bugs. The researcher disclosed the details of the flaw over the weekend.

Insecure direct object references exist when a web application uses the actual key of an object when generating webpages without ensuring that users cannot access other objects than their own. An attacker who has an account on the targeted application can exploit such vulnerabilities to access other users’ accounts simply by changing the value of a parameter that directly points to a system object.

In the case of Smartsheet, Trigo discovered an insecure direct object reference that allowed malicious actors to take over millions of accounts.

The vulnerability existed in the “Import Users” feature in the application’s “User Management” page. The feature is designed to allow customers to import users from CSV files and assign roles to those users (e.g. system admin, group admin, licensed user, resource viewer). However, there was no check in place to verify that the user requesting the import had the right privileges.

Advertisement. Scroll to continue reading.

A malicious actor could have exploited the flaw by initiating a normal user import process and intercepting the request sent to the server. This request contained a parameter (“param1”) whose value was the user’s ID. By simply changing the value of this parameter to the ID of a different user, an attacker could have imported his own user details to the targeted account and obtain all permissions.

Smartsheet told SecurityWeek that it has conclusively determined — based on its analysis of the attack method and the evidence it leaves — that the vulnerability was never exploited in the wild.

“We are grateful to Mr. Trigo for his continuing research on our platform, and the professional manner in which he conducts his responsible disclosure practices. The nature and pattern of this particular issue is such that we are able to conclude that this vector was never exploited by anyone other than Mr. Trigo, working against two accounts under his direct control. Within 4 hours of being made aware of this, our security, operations, quality assurance, and development teams deployed an update to our platform, eliminating the flaw,” stated DJ Hanson, director of information security at Smartsheet.

“We can unequivocally state that there was no disclosure or impact to any customer accounts or data. It is our view that openly rewarding and celebrating the findings of well-intentioned researchers is an essential part of a healthy and mature security program. We have been very impressed with the work and quality of the researchers @Bugcrowd and hope to continue our relationship with them and their community of professionals,” Hanson added.

Earlier this month, Trigo reported finding two cross-site scripting (XSS) vulnerabilities in Square Appointments, an online appointments systems for business owners introduced recently by Square.

*Updated with statement and additional information from Smartsheet

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.