Published on

Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover

Authors
tailwind-nextjs-banner

IMPORTANT

Your Business is Only as Secure as its Weakest Point.
Don’t risk exposing your data to attackers—Contact Us Now for a free consultation and find out how Agilehunt can protect your digital assets.

Vulnerability Description

During an in-depth security analysis of Clipchamp, Agilehunt identified a critical flaw that allowed attackers to bypass Google IAP authorization, granting unauthorized access to Clipchamp’s internal/test/smoke/beta environments.

Despite being protected by Google IAP (ensuring only Clipchamp or Microsoft employees could access these environments), we discovered that the API endpoints lacked sufficient back-end authorization checks. This opened a door for attackers to steal JWT tokens and execute Zero Interaction Account Takeover for any user in the Smoke environment.

This means attackers could access internal Clipchamp accounts, exploit sensitive data, and cause significant reputational and financial damage.

Risk Breakdown

  • Risk: Critical
  • Difficulty to Exploit: Easy

Affected URLs

  • app.smoke.clipchamp.com
  • app.beta.clipchamp.com
  • app.test.clipchamp.com
  • app.demo.clipchamp.com

Steps to Reproduce

Step 1: Navigate to any of the Affected URLs above e.g https://app.smoke.clipchamp.com/ and observe user is redirected to Google IAP Login , using any random credentials gives the screen below "Access blocked: Clipchamp Smoke can only be used within its organisation".

Step 2: Send the POST request below with the desired victim user email you want access to on the ClipChamp platform e.g (vikz.sharma1996@gmail.com).

Observe the response has the JWT Token in the response ( Meaning we have bypassed the Google IAP Authroization ) allowing us access to internal envirnoment which leaks the JWT Token for any user in the response itself.

Step 3: Pass the JWT Token received above to the "code" parameter in the request below and send it :

Observe the response for request from ( Step 3 ) has the master Authroization JWT Token for the victim account ( vikz.sharma1996@gmail.com) which can be utilized on platform wide - > Access all API endpoints of Clipchamp like /v2/user/ , /v2/user/workspaces , Projects , PII data.

Step 4: For verifying the obtained JWT Token for requested user is valid , send the request below :

RESPONSE- reveals all the details about the victim user :

Step 5: In order to verify the impact of this critical vulnerability, I had to proof if an attacker can read / edit / add existing user information on the internal server , Clicking the Contact the Developer button on the Google IAP block page gives us email address of the potential employee of ClipChamp / Microsoft which was "Redacted@clipchamp.com" who is an employee of Microsoft .

Step 6: Repeat the Step 2 but with the email of an internal employee which is Redacted@clipchamp.com as email parameter value like below :

Observe the response has the MAGIC Login LINK - JWT Token for an potential employee of Microsoft.

Step 7: Repeat Step 3 with the JWT Token from Step 6 ( Which is JWT Token of Internal an Employee of Microsoft ) to the "code" parameter and send the request like below :

Observe the response for request above has the master Authroization JWT Token for the victim account a Microsoft Employee in this case redacted@clipchamp.com) which can be utilized platform wide - > all accessible endpoints like /v2/user/ , /v2/user/workspaces , projects , pii data , add email , change email ,all other actions etc.

Step 8: To validate the exploit - Send the request below with the Authorization Bearer JWT Token received above like below :


Observe we are now able to access information of an existing internal user who is an potential employee of Microsoft using the internal platform :

The employee user accout was created_at": "2021-09-17T02:28:25.359582+00:00" which means this was an existing account.

Impact

  1. Unauthorized actions or access to sensitive data within the vulnerable application or other connected systems.
  2. An attacker could access internal user data, including confidential information, leading to financial and reputational damage.
  3. Potential to further abuse the system to access accounts with premium features, causing significant financial loss.

Recommendation

  • Implement strict authorization checks to avoid external access to internal networks / platforms completely.

References

For more information check out reference [[1]]

TIMELINES

  • Jan 9, 2023  - Case Opened
  • Jan 9, 2023  - Moved to Develop ( Fixing )
  • Jan 20, 2023  - Out of Scope Email
  • March 7, 2023  - Issue Fixed / Listed on acknowledgement page.
Discuss on Twitter