Buy Royal UI Officially! Contact Us Buy Now!

How I Hacked Invision Projects

Dipak Kumar Das
Hi guys This bug is a simple sensitive Information Disclosure so lets start 

So in invision there is functionality where a user can share a project with password protection  via a link

so here the password was disclosed to other user who have the link only so he/she can access the project without having the password 
so if you open the link its look like this 

I tried to bypass this password authentication but failed 

so you are still thinking where the password disclosed ? the image below can give you hint

 yes you are right its cookie

so suppose i got this share project link

and the user set the password to :dipak

so how i retrieved the password  , just open the link in browser export the cookie of the page (use any cookie manager addon/extension)
so here is the cookies 

"domain": "",
"expirationDate": 1445806824,
"hostOnly": false,
"httpOnly": false,
"name": "hssc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.4.1445804872428",
"id": 1
"domain": "",
"hostOnly": false,
"httpOnly": false,
"name": "
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 2
"domain": "",
"expirationDate": 1508877024,
"hostOnly": false,
"httpOnly": false,
"name": "_hstc",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "186349814.48603e6116c827774f91746a92d7778b.1445804872428.1445804872428.1445804872428.1",
"id": 3
"domain": "",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.2.1343745963.1445804868",
"id": 4
"domain": "",
"expirationDate": 1477340870,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_anonymous_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%225f94b04b-b4a1-4391-9a5e-5fe0b308bb4d%22",
"id": 5
"domain": "",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_group_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 6
"domain": "",
"expirationDate": 1477341022,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_user_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 7
"domain": "",
"expirationDate": 2391884955.634767,
"hostOnly": false,
"httpOnly": false,
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "true",
"id": 8
"domain": "",
"expirationDate": 1761164872,
"hostOnly": false,
"httpOnly": false,
"name": "hsfirstvisit",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "||1445804872425",
"id": 9
"domain": "",
"expirationDate": 1761165024,
"hostOnly": false,
"httpOnly": false,
"name": "hubspotutk",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "48603e6116c827774f91746a92d7778b",
"id": 10
"domain": "",
"expirationDate": 2391884862.62181,
"hostOnly": false,
"httpOnly": false,
"name": "INV
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "YES",
"id": 11
"domain": "",
"expirationDate": 1448396862.621729,
"hostOnly": false,
"httpOnly": false,
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "77661376",
"id": 12
"domain": "",
"expirationDate": 1448396862.62177,
"hostOnly": false,
"httpOnly": false,
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "46D95268%2DADBA%2D3D6D%2D203CFC6FA75217FA",
"id": 13
"domain": "",
"expirationDate": 1477341023,
"hostOnly": false,
"httpOnly": false,
"name": "mp
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%7B%22distinct_id%22%3A%20%22150a0af8a53131-0209b692a-671d107a-100200-150a0af8a544f9%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D",
"id": 14
"domain": "",
"expirationDate": 1445891266.416696,
"hostOnly": false,
"httpOnly": false,
"name": "TOKENKEY",
"path": "/",
"secure": true,
"session": false,
"storeId": "0",
"value": "46D960C3%2DB81D%2D4F49%2D77B1D5A43E55A65D",
"id": 15
"domain": "",
"hostOnly": false,
"httpOnly": true,
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16

"domain": "",
"expirationDate": 1445891266.416616,
"hostOnly": false,
"httpOnly": false,
"name": "XSRF-TOKEN",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "dfe125ae21fdbcb66f143f44f66adc5b",
"id": 17
"domain": "",
"expirationDate": 1508877015,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.3.1343745963.1445804868",
"id": 18
"domain": "",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "bizo_bzid",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "d3bcab3e-575c-4617-8c69-844a29458d06",
"id": 19
"domain": "",
"expirationDate": 1445891424,
"hostOnly": true,
"httpOnly": false,
"name": "
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "1A93F52F6E2038ED",
"id": 20
"domain": "",
"expirationDate": 1445891427,
"hostOnly": true,
"httpOnly": false,
"name": "
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "14%3D2981%2C",
"id": 21
"domain": "",
"hostOnly": true,
"httpOnly": false,
"name": "DEVICE",
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 22
"domain": "",
"hostOnly": true,
"httpOnly": false,
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "desktop",
"id": 23
"domain": "",
"hostOnly": true,
"httpOnly": false,
"name": "fbtagfired",
"path": "/share",
"secure": false,
"session": true,
"storeId": "0",
"value": "1",
"id": 24

so mark this cookie
"domain": "",
"hostOnly": false,
"httpOnly": true,
"path": "/",
"secure": false,
"session": true,
"storeId": "0",
"value": "deepak",
"id": 16

VALIDATION_Z84OCVFKJ varies project to project  but the value parameter hold the password :deepak

so now i got the password of that project from cookies and the authentication bypassed successfully

Reported- Oct 26th 2015
Fixed- Jun 9th 2016
Rewarded- Jun 9th 2016

Thanks for reading 

Feedback and comments are welcome  

7 تعليقات

  1. Asswm :)
    1. Thanks :)
  2. nice work bro
  3. Awesome writeup mate (Y)
  4. Cool Bro. Thanks for Sharing
  5. Himanshu
    أزال المؤلف هذا التعليق.
  6. Desperation hit me and i couldnt take it no more,because I was getting sick and irritated of my husband looking at me in the eye and lying to my face that he wasnt cheating and I was ready to do anything it took to get facts and proof....
    Told my best friend who linked me with this lifesaver CYBERHACKTON @GMAIL dot COM who provided all I was looking for, long ass nasty messages,bank statements,incoming and outgoing messages,emails,web browsing history,call logs,instant messengers,GPS location,photos and videos,and tapping into his phone conversations by hacking his phone, without him suspecting a thing because he is a smart ass but I'm glad with the help of CYBERHACKTON@GMAIL.COM I was able to dissolve and end this marriage.I had my doubts at first but now I'm glad I did...Told him I was gonna tell people about him and help men and women like myself. He is a genius, trust me. Just tell him I referred you to him and thank me later
  • A-
  • A+

© ADDICTIVE HACKERS. All rights reserved.

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.