Learn how a missing authorization check led to unauthorized access to internal resources and how to fix it with authentication best practices. In this blog post, we delve into a common security incident where a lack of proper authorization checks led to unauthorized users gaining view and edit access to an internal third-party resource. While doing reconnaissance for subdomain enumeration, found one internal subdomain (useful for only internal team tracking purposes) hosted live carrying the upcoming tasks and daily updates for internal employees which was assumed to be secure but found to be more vulnerable. However, the absence of authentication mechanisms allowed anyone with knowledge of the subdomain's URL to access and manipulate the internal content.
The internal subdomain had a static page with daily updates noted in a calendar in which employees could add their daily tasks and embed links for Jira tickets, Figma projects, etc. This security misconfiguration leads to missing authorization checks on the Figma panel. While the panel was located on an internal subdomain, it was not adequately protected by authentication measures.
On visiting all pages in the respective subdomain (calendar.redacted.com) found multiple URLs having Jira tickets for regular updates and tracking which was well secured having SSO from Okta. But there were also project URLs for Figma used for the design and development of the front end across the application. Here, the user needs authentication to view the project having the invite or access from the project admin. Due to a lack of authorization, any user can sign up with their individual credentials and access the project without restrictions. These projects were daily updated and monitored by the internal resources and particularly attackers can make changes on behalf of the organization.
The impact of this security misconfiguration was significant. Unauthorized users could:
To prevent similar unintentional security misconfigurations, it is crucial to implement proper authentication and authorization mechanisms for all internal applications and resources, including those hosted on internal subdomains.
United States
11166 Fairfax Boulevard, 500, Fairfax, VA 22030
APAC
68 Circular Road, #02-01, 049422, Singapore