Flowdock API - Four Vulnerabilities Patched in a Batch

Flowdock API - Four Vulnerabilities Patched in a Batch

Flowdock is a Chat & inbox for teams.. One place to talk and stay up-to-date. Flowdock is a team collaboration app for desktop, mobile & web. Keeping Flowdock`s environment and customer data safe and secure is a top priority for us. The Evolution Security | Vulnerability Laboratory researcher team found four vulnerabilities in the Flowdock API and reported the issues to the vendor.

The Flowdock security team responded as soon as possible and worked with the researchers on the different patches. All vulnerabilities have been fixed within the shortest time and it was a responsible behavior by Flowdock Sec Team. After creating  all patches the researchers were rewarded with Bug Bounties - in form of real $ cash - for every single issue. No T-Shirts included (thank you).

It is always a pleasure to work with professionals. If all security teams at the vendors side would act like the Flowdock´s team - the Internet would be a safer place.

Application-side Input Validation Exception-handling Web Vulnerability

The Vulnerability Laboratory Research Team discovered an application-side input validation exception-handling web vulnerability in the official Flowdock online service web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.

The vulnerability is located in the rss feed url input field of the Rss Connector module POST/GET method request. Remote attackers with low privilege application user accounts are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST & GET and the attack vector is located on the application-side and client-side of the flowdock api web-service.

Remote attackers are able to inject malicious script codes to the application-side to compromise flowdock auth api path by session manipulation or session evasion attacks. The attacker injects via rss url website input malicious payloads which demonstrates the injection point and the execution point is in the preview error message in the rss connector context module. The exception-handling of the preview handles the input with wrong encoding which results in a direct execution of script code after the first injection procedure took place.

The firewall does not prevent the loading of external websites because only script tags are blocked. By loading iframes or img src with svg tags the filter can be bypassed.

Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Login to your account at the flowdock website
2. Surf to the main dashboard module
3. Create a new organization
Note: A new menu opens in a popup
4. Click in the Inbox Sources category the Rss module
5. Inject a script code payload without <script> tags to the RSS Feed URL (Website) input
6. The first execution takes place after the input context has been passed via GET, the execution location is the preview > preview-error exception
7. Now click to connect and the vulnerable source with be permanently saved. Interact with a session tamper to inject the values twice to ensure it is getting included successful
Note: To save the context permanently you need to trick the application by inject of a payload that executes after the first load. Use a existing rss url and attach a small payload to bypass
8. Now the code executes in the rss webpage after the integration

Note: Use tamper data in mozilla to manipulate the session values and to approve the existence of the vulnerability!

Security Risk:
The security risk of the application-side vulnerability in the flowdock online service web-application exception-handling and rss feed input is estimated as medium. (CVSS 3.9)

Application-side Input Validation Web Vulnerability (1)

The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Flowdock online service web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.

The vulnerability is located in the flow name and flow description values of the Invite your Team (Flowdock Rest API) module POST method request. Remote attackers with low privilege application user accounts are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST and the attack vector is located on the application-side of the flowdock api web-service.

Remote attackers are able to inject malicious script codes to the application-side to compromise flowdock rest api dashboard (messages) by session manipulation or session evasion attacks. The attacker inject via name and description values malicious payloads which demonstrates the injection point and the execution point is in the insecure validated message inbox of the main deashboard.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Login to your account at the flowdock website
2. Surf to the main dasboard module
3. Click the invite your team button
4. Switch to the flow menu bar
5. Inject malicious script code test payload to the name and description of flowdock inputs via api
6. Save the input and return back to the module by refresh or cancel after update
7. The code executes in the message board but also in the message dasboard index were the user has been invited to grant access
8. Successful reproduce of the vulnerability in flowdock api and main dashbaord!

Note: Use tamper data in mozilla to manipulate the session values and to approve the existence of the vulnerability!

Security Risk:
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)

Application-side Input Validation Web Vulnerability (2)

The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Flowdock online service web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.

The vulnerability is located in the filename value of the messages upload module POST method request. Remote attackers with low privilege application user accounts are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST and the attack vector is located on the application-side of the flowdock api web-service. Remote attackers are able to inject malicious script codes to the application-side to compromise flowdock accounts by session manipulation or session evasion attacks. The attacker uploads a file with malicious payload which demonstrates the injection point and the execution point is on arrival at the target flowdock inbox.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Security Risk:
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Send message to other user team with upload file
2. Inject a Payload as name (code injection)
3. When the user get notification for the new message the code will execute in the notification
4. Successful reproduce of the vulnerability!

Note: Use tamper data in mozilla to manipulate the session by interception of the name value.

Application-side Input Validation Web Vulnerability (3)

An application-side input validation web vulnerability has been discovered in the official Flowdock online-service web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.

The vulnerability is located in the name input field of the inbox souds flowdock api service. Remote attackers with low privilege application user accounts are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST and the attack vector is located on the application-side of the flowdock api web-service. Remote attackers are able to inject malicious script codes to the application-side to compromise flowdock accounts by session manipulation or session evasion attacks.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Security Risk:
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low privilege application user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Create acount with name have a payload code
2. Click to add more sources..
3. Click add new (Git)
4. Will open new link  https://www.flowdock.com/jari/auth/git?flow=e60291f4-8869-4f08-b04d-bc07... write anything in the name and save
5. Now, the payloadcode will execute
6. Successful reproduce of the application-side vulnerability!

Reference(s):

http://www.vulnerability-lab.com/get_content.php?id=1560

http://www.vulnerability-lab.com/get_content.php?id=1572

http://www.vulnerability-lab.com/get_content.php?id=1574

http://www.vulnerability-lab.com/get_content.php?id=1575