Discover the shocking Insecure Direct Object Reference (IDOR) vulnerability in ExamFit’s (Private Program) Time Tracking System, and see how an attacker could gain unauthorized access and approval of time tracking records, posing a significant risk to data integrity and financial stability.

Picture a scenario where an organization relies on a robust system to track employees’ working hours and projects. It’s a routine task — employees log their hours, managers approve them, and payroll is processed seamlessly.

Target Examfit(psyuedo name of private program)

ExamFit is a service many companies trust to manage their employees’ time tracking and payroll. However, my assessment revealed a critical flaw, an Insecure Direct Object Reference (IDOR) vulnerability, which could potentially shake the very foundation of their data security.

The Vulnerability

The vulnerability centered around the endpoint: POST /time/v1/tracking/validation/approve on the host api.examfit.com. An IDOR vulnerability, it allowed an attacker to manipulate input parameters — employeeId and timesheetId — in a way that granted unauthorized access to and approval of time tracking records.

How to Recreate the Issue:

To recreate this issue, you would need three accounts:

1. A Attacker Company Employee Account.
2. An Attacker’s Company Account (with admin privileges) — This is the account that will exploit the vulnerability.
3. Another Victim’s Company Account (with admin privileges) — This account serves to check if the exploit worked or the attack is happening with this company account we are allowing tracking project of this account.

Before we move on, if you like my write-ups, please support me by liking, sharing, and clapping up to 50 times here on Medium, it’s free. Thank you.

The steps to reproduce the vulnerability are as follows:

1: A attacker employee logs in and creates a work time tracking project. In the process, they note down two crucial values: employeeId and timesheetId.

2: Attacker Account Setup The attacker logs in with their own account and captures the Authorization: Bearer and X-Examfit-Id tokens.

3: The attacker then crafts and sends a malicious HTTP request, utilizing the captured tokens to approve time tracking for the victim company, using the employeeId and timesheetId values acquired earlier.

Below request is used to exploit:-

POST /time/v1/tracking/validation/approve HTTP/2
Host: api.examfit.com
Content-Length: 82
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Authorization: Bearer 
Content-Type: application/json
X-Payfit-Id: ---------
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8,pt;q=0.7
{"employeeId":"[Victim Employee ID]","timesheetId":"[Timesheet ID]"}

4: The Result If all goes as planned, the response should indicate a status of 200 OK and that the time tracking request has been approved.

5: Verification The victim admin logs in to verify that the time tracking request for the victim employee has been improperly approved. This demonstrates the successful exploitation of the vulnerability.

The Impact:

The exploitation of this vulnerability has several potential impacts:

• Unauthorized access to sensitive time tracking data.
• Unauthorized modification of time tracking records.
• Compromise of data integrity and confidentiality.
• Potential financial implications for victim companies.

The Bounty Reward:

For this crucial discovery, ExamFit awarded me a generous bounty of $1,200.

Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.

Find me on Twitter: @a13h1_

Keep Supporting, Keep Clapping, Keep Commenting.