Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover

by Vikas Anil Sharma March 10, 2023

Before getting started reported product Clipchamp is not under the scope for MSRC bug bounty rewards so don't waste your precious time on this asset if monetary reward is your goal.

Vulnerability Description

While the security research and analyzing the assets of ClipChamp & how it works. It was found that all the internal environments are restricted behind Google IAP - meaning only authorized personnel ( ClipChamp / MS Employee ) has access to the internal /test/smoke /beta environment.

After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/<ENDPOINTS> API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env.

Kindly refer the reproduction steps for the same.

Risk Breakdown

Risk: Critical
Difficulty to Exploit: Easy

Affected URLs

app.smoke.clipchamp.com
app.beta.clipchamp.com
app.test.clipchamp.com
app.demo.clipchamp.com

Steps to Reproduce

The following steps indicate a proof of concept outlined in steps to reproduce and execute the issue.

Step 1: Navigate to any of the Affected URLs above e.g https://app.smoke.clipchamp.com/ and observe user is redirected to Google IAP Login , using any random credentials gives the screen below "Access blocked: Clipchamp Smoke can only be used within its organisation".

Step 2: Send the POST request below with the desired victim user email you want access to on the ClipChamp platform e.g (vikz.sharma1996@gmail.com).

Observe the response has the JWT Token in the response ( Meaning we have bypassed the Google IAP Authroization ) allowing us access to internal envirnoment which leaks the JWT Token for any user in the response itself.

Step 3: Pass the JWT Token received above to the "code" parameter in the request below and send it :

Observe the response for request from ( Step 3 ) has the master Authroization JWT Token for the victim account ( vikz.sharma1996@gmail.com) which can be utilized on platform wide - > Access all API endpoints of Clipchamp like /v2/user/ , /v2/user/workspaces , Projects , PII data.

Step 4: For verifying the obtained JWT Token for requested user is valid , send the request below :

RESPONSE- reveals all the details about the victim user :

Step 5: In order to verify the impact of this critical vulnerability, I had to proof if an attacker can read / edit / add existing user information on the internal server , Clicking the Contact the Developer button on the Google IAP block page gives us email address of the potential employee of ClipChamp / Microsoft which was "Redacted@clipchamp.com" who is an employee of Microsoft .

Step 6: Repeat the Step 2 but with the email of an internal employee which is Redacted@clipchamp.com as email parameter value like below :

Observe the response has the MAGIC Login LINK - JWT Token for an potential employee of Microsoft.

Step 7: Repeat Step 3 with the JWT Token from Step 6 ( Which is JWT Token of Internal an Employee of Microsoft ) to the "code" parameter and send the request like below :

Observe the response for request above has the master Authroization JWT Token for the victim account a Microsoft Employee in this case ( redacted@clipchamp.com) which can be utilized platform wide - > all accessible endpoints like /v2/user/ , /v2/user/workspaces , projects , pii data , add email , change email ,all other actions etc.

Step 8: To validate the exploit - Send the request below with the Authorization Bearer JWT Token received above like below :

Observe we are now able to access information of an existing internal user who is an potential employee of Microsoft using the internal platform :

The employee user accout was created_at": "2021-09-17T02:28:25.359582+00:00" which means this was an existing account.

Impact

A successful attack can result in unauthorized actions or access to data within the organization, either in the vulnerable application or on other back-end systems that the application can communicate with.
Attacker can further try enumerating other users on the platform which may have confidential data of other internal users or which can lead to financial / reputational damage.
Employee account accessed.
Skilled attacker can enumerate further for accounts which may have premium features enabled and abuse this infrastructure leading to financial loss as well as unavailablity.

Recommendation

Implement strict authorization checks to avoid external access to internal networks / platforms completely.

References

For more information check out reference [[1]]

[1] https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema

TIMELINES

Jan 9, 2023 - Case Opened
Jan 9, 2023 - Moved to Develop ( Fixing )
Jan 20, 2023 - Out of Scope Email
March 7, 2023 - Issue Fixed / Listed on acknowledgement page.

Follow me @vikzsharma on Twitter / Linkedin for updates on write ups.