Vulnerability Exposed Smartsheet Accounts to Hijacking

Smartsheet has patched a serious vulnerability that could have been exploited to hijack user accounts. The company says the flaw has not been exploited in the wild.

Smartsheet is a Bellevue, Washington-based Software-as-a-Service (SaaS) company that provides work management and collaboration solutions. The firm says its intuitive spreadsheet-like cloud app is used by over 65,000 businesses and 5 million users across 175 countries.

Clifford Trigo, a security consultant based in the Philippines, uncovered an insecure direct object reference vulnerability that could have been exploited to hijack user accounts via Smartsheet’s “import users” feature.

Trigo reported the flaw to Smartsheet via the company’s private bug bounty program on the Bugcrowd platform. Smartsheet patched the vulnerability and awarded the expert $2,000, the maximum reward offered by the company for security bugs. The researcher disclosed the details of the flaw over the weekend.

Insecure direct object references exist when a web application uses the actual key of an object when generating webpages without ensuring that users cannot access other objects than their own. An attacker who has an account on the targeted application can exploit such vulnerabilities to access other users’ accounts simply by changing the value of a parameter that directly points to a system object.

In the case of Smartsheet, Trigo discovered an insecure direct object reference that allowed malicious actors to take over millions of accounts.

The vulnerability existed in the “Import Users” feature in the application’s “User Management” page. The feature is designed to allow customers to import users from CSV files and assign roles to those users (e.g. system admin, group admin, licensed user, resource viewer). However, there was no check in place to verify that the user requesting the import had the right privileges.

A malicious actor could have exploited the flaw by initiating a normal user import process and intercepting the request sent to the server. This request contained a parameter (“param1”) whose value was the user’s ID. By simply changing the value of this parameter to the ID of a different user, an attacker could have imported his own user details to the targeted account and obtain all permissions.

Smartsheet told SecurityWeek that it has conclusively determined — based on its analysis of the attack method and the evidence it leaves — that the vulnerability was never exploited in the wild.

“We are grateful to Mr. Trigo for his continuing research on our platform, and the professional manner in which he conducts his responsible disclosure practices. The nature and pattern of this particular issue is such that we are able to conclude that this vector was never exploited by anyone other than Mr. Trigo, working against two accounts under his direct control. Within 4 hours of being made aware of this, our security, operations, quality assurance, and development teams deployed an update to our platform, eliminating the flaw,” stated DJ Hanson, director of information security at Smartsheet.

“We can unequivocally state that there was no disclosure or impact to any customer accounts or data. It is our view that openly rewarding and celebrating the findings of well-intentioned researchers is an essential part of a healthy and mature security program. We have been very impressed with the work and quality of the researchers @Bugcrowd and hope to continue our relationship with them and their community of professionals,” Hanson added.

Earlier this month, Trigo reported finding two cross-site scripting (XSS) vulnerabilities in Square Appointments, an online appointments systems for business owners introduced recently by Square.

*Updated with statement and additional information from Smartsheet