Hi guys This bug is a simple sensitive Information Disclosure so lets start
So in invision there is functionality where a user can share a project with password protection via a link
so here the password was disclosed to other user who have the link only so he/she can access the project without having the password
so if you open the link its look like this
I tried to bypass this password authentication but failed
so you are still thinking where the password disclosed ? the image below can give you hint
yes you are right its cookie
so suppose i got this share project link
https://invis.io/HM7LGF896
and the user set the password to :dipak
so how i retrieved the password , just open the link in browser export the cookie of the page (use any cookie manager addon/extension)
so here is the cookies
[
{
"domain": ".invisionapp.com",
"expirationDate": 1445806824,
"hostOnly": false,
"httpOnly": false,
"name": "hssc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.4.1445804872428",
"id": 1
},
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": false,
"name": "hssrc",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 2
},
{
"domain": ".invisionapp.com",
"expirationDate": 1508877024,
"hostOnly": false,
"httpOnly": false,
"name": "_hstc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.48603e6116c827774f91746a92d7778b.1445804872428.1445804872428.1445804872428.1",
"id": 3
},
{
"domain": ".invisionapp.com",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.2.1343745963.1445804868",
"id": 4
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477340870,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_anonymous_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%225f94b04b-b4a1-4391-9a5e-5fe0b308bb4d%22",
"id": 5
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_group_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 6
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_user_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 7
},
{
"domain": ".invisionapp.com",
"expirationDate": 2391884955.634767,
"hostOnly": false,
"httpOnly": false,
"name": "HASSEENTOOLBARINTRODUCTION",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "true",
"id": 8
},
{
"domain": ".invisionapp.com",
"expirationDate": 1761164872,
"hostOnly": false,
"httpOnly": false,
"name": "hsfirstvisit",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "https%3A%2F%2Fprojects.invisionapp.com%2Fshare%2FZ84OCVFKJ%23%2Fscreens||1445804872425",
"id": 9
},
{
"domain": ".invisionapp.com",
"expirationDate": 1761165024,
"hostOnly": false,
"httpOnly": false,
"name": "hubspotutk",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "48603e6116c827774f91746a92d7778b",
"id": 10
},
{
"domain": ".invisionapp.com",
"expirationDate": 2391884862.62181,
"hostOnly": false,
"httpOnly": false,
"name": "INVCUSTOMER_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "YES",
"id": 11
},
{
"domain": ".invisionapp.com",
"expirationDate": 1448396862.621729,
"hostOnly": false,
"httpOnly": false,
"name": "INVISIONAPP_SESSION_ID_V2_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "77661376",
"id": 12
},
{
"domain": ".invisionapp.com",
"expirationDate": 1448396862.62177,
"hostOnly": false,
"httpOnly": false,
"name": "INVISIONAPP_SESSION_TOKEN_V2_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "46D95268%2DADBA%2D3D6D%2D203CFC6FA75217FA",
"id": 13
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341023,
"hostOnly": false,
"httpOnly": false,
"name": "mpe30522264f139fbc8f9afe3fd5c6a96d_mixpanel",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%7B%22distinct_id%22%3A%20%22150a0af8a53131-0209b692a-671d107a-100200-150a0af8a544f9%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D",
"id": 14
},
{
"domain": ".invisionapp.com",
"expirationDate": 1445891266.416696,
"hostOnly": false,
"httpOnly": false,
"name": "TOKENKEY",
"path": "/",
"secure": true,
"session": false,
"storeId": "0",
"value": "46D960C3%2DB81D%2D4F49%2D77B1D5A43E55A65D",
"id": 15
},
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": true,
"name": "VALIDATION_Z84OCVFKJ",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16
},
{
"domain": ".invisionapp.com",
"expirationDate": 1445891266.416616,
"hostOnly": false,
"httpOnly": false,
"name": "XSRF-TOKEN",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "dfe125ae21fdbcb66f143f44f66adc5b",
"id": 17
},
{
"domain": ".projects.invisionapp.com",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.3.1343745963.1445804868",
"id": 18
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_bzid",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "d3bcab3e-575c-4617-8c69-844a29458d06",
"id": 19
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_cksm",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "1A93F52F6E2038ED",
"id": 20
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891427,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_np_stats",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "14%3D2981%2C",
"id": 21
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "DEVICE",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 22
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "DEVICEEXPERIENCE",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 23
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "fbtagfired",
"path": "/share",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 24
}
]
so mark this cookie
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": true,
"name": "VALIDATION_Z84OCVFKJ",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16
}
VALIDATION_Z84OCVFKJ varies project to project but the value parameter hold the password :deepak
so now i got the password of that project from cookies and the authentication bypassed successfully
Timeline:
Reported- Oct 26th 2015
Fixed-
Thanks for reading
Feedback and comments are welcome
So in invision there is functionality where a user can share a project with password protection via a link
so here the password was disclosed to other user who have the link only so he/she can access the project without having the password
so if you open the link its look like this
I tried to bypass this password authentication but failed
so you are still thinking where the password disclosed ? the image below can give you hint
so suppose i got this share project link
https://invis.io/HM7LGF896
and the user set the password to :dipak
so how i retrieved the password , just open the link in browser export the cookie of the page (use any cookie manager addon/extension)
so here is the cookies
[
{
"domain": ".invisionapp.com",
"expirationDate": 1445806824,
"hostOnly": false,
"httpOnly": false,
"name": "hssc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.4.1445804872428",
"id": 1
},
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": false,
"name": "hssrc",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 2
},
{
"domain": ".invisionapp.com",
"expirationDate": 1508877024,
"hostOnly": false,
"httpOnly": false,
"name": "_hstc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.48603e6116c827774f91746a92d7778b.1445804872428.1445804872428.1445804872428.1",
"id": 3
},
{
"domain": ".invisionapp.com",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.2.1343745963.1445804868",
"id": 4
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477340870,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_anonymous_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%225f94b04b-b4a1-4391-9a5e-5fe0b308bb4d%22",
"id": 5
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_group_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 6
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_user_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 7
},
{
"domain": ".invisionapp.com",
"expirationDate": 2391884955.634767,
"hostOnly": false,
"httpOnly": false,
"name": "HASSEENTOOLBARINTRODUCTION",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "true",
"id": 8
},
{
"domain": ".invisionapp.com",
"expirationDate": 1761164872,
"hostOnly": false,
"httpOnly": false,
"name": "hsfirstvisit",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "https%3A%2F%2Fprojects.invisionapp.com%2Fshare%2FZ84OCVFKJ%23%2Fscreens||1445804872425",
"id": 9
},
{
"domain": ".invisionapp.com",
"expirationDate": 1761165024,
"hostOnly": false,
"httpOnly": false,
"name": "hubspotutk",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "48603e6116c827774f91746a92d7778b",
"id": 10
},
{
"domain": ".invisionapp.com",
"expirationDate": 2391884862.62181,
"hostOnly": false,
"httpOnly": false,
"name": "INVCUSTOMER_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "YES",
"id": 11
},
{
"domain": ".invisionapp.com",
"expirationDate": 1448396862.621729,
"hostOnly": false,
"httpOnly": false,
"name": "INVISIONAPP_SESSION_ID_V2_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "77661376",
"id": 12
},
{
"domain": ".invisionapp.com",
"expirationDate": 1448396862.62177,
"hostOnly": false,
"httpOnly": false,
"name": "INVISIONAPP_SESSION_TOKEN_V2_LIVE",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "46D95268%2DADBA%2D3D6D%2D203CFC6FA75217FA",
"id": 13
},
{
"domain": ".invisionapp.com",
"expirationDate": 1477341023,
"hostOnly": false,
"httpOnly": false,
"name": "mpe30522264f139fbc8f9afe3fd5c6a96d_mixpanel",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%7B%22distinct_id%22%3A%20%22150a0af8a53131-0209b692a-671d107a-100200-150a0af8a544f9%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D",
"id": 14
},
{
"domain": ".invisionapp.com",
"expirationDate": 1445891266.416696,
"hostOnly": false,
"httpOnly": false,
"name": "TOKENKEY",
"path": "/",
"secure": true,
"session": false,
"storeId": "0",
"value": "46D960C3%2DB81D%2D4F49%2D77B1D5A43E55A65D",
"id": 15
},
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": true,
"name": "VALIDATION_Z84OCVFKJ",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16
},
{
"domain": ".invisionapp.com",
"expirationDate": 1445891266.416616,
"hostOnly": false,
"httpOnly": false,
"name": "XSRF-TOKEN",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "dfe125ae21fdbcb66f143f44f66adc5b",
"id": 17
},
{
"domain": ".projects.invisionapp.com",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.3.1343745963.1445804868",
"id": 18
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_bzid",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "d3bcab3e-575c-4617-8c69-844a29458d06",
"id": 19
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_cksm",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "1A93F52F6E2038ED",
"id": 20
},
{
"domain": "projects.invisionapp.com",
"expirationDate": 1445891427,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_np_stats",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "14%3D2981%2C",
"id": 21
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "DEVICE",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 22
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "DEVICEEXPERIENCE",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 23
},
{
"domain": "projects.invisionapp.com",
"hostOnly": true,
"httpOnly": false,
"name": "fbtagfired",
"path": "/share",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 24
}
]
so mark this cookie
{
"domain": ".invisionapp.com",
"hostOnly": false,
"httpOnly": true,
"name": "VALIDATION_Z84OCVFKJ",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16
}
VALIDATION_Z84OCVFKJ varies project to project but the value parameter hold the password :deepak
so now i got the password of that project from cookies and the authentication bypassed successfully
Timeline:
Reported- Oct 26th 2015
Fixed-
Thanks for reading
Feedback and comments are welcome