I was testing this private program in which a user can be a part of multiple organizations and the user can switch to different organizations from the dropdown.

He will get access to completely different organization with all the data and actions. When switching is done a request to the following endpoint is being made.

POST /internal/system/v1/auth/login/pick HTTP/2
Host: us.api.prod.example.com

In this request there is single parameter organizationId in the post body. This is the organization where the user is switching to, now first thing here is that if I change the organizationId to the organization where the user does not belong it was showing error.

None
We can see the access token is not being generated by the system if the user email address and the organizationId does not match.

When I properly analyzed the request I saw a parameter in the cookie with name example_orgpick_email_prod which was the email address of the currently logged in user. So if the email address and organizationId does not match it will not generate tokens.

Now I changed the organizationId with the victim's organization where I do not have access to and email with the victim's email address in the cookie and to my surprise I got the access tokens for that organization. Here email address and organization are leaked in published apps for that organization so not an issue even though it's UUID.

None
Access token generated for victim's organization when email address and oganizationId matches.

Here you will get access token and you have to replace the value of token in the parameter example_api_prod and CSRF token with the name eample_xsrf_prod.

After that to confirm this I made request to another endpoint for invited the users to the organization where all the details were shown which was shown below,

GET /internal/system/v1/invite/{organizationId} HTTP/2
Host: us.api.prod.example.com
Cookie: {COOKIE HERE}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Request-Id: 4e33f0eb-ec72-4b1b-8d80-56249ec8f7f5
X-Source: BUILDER
X-Cxr-Version: 18.0
X-Xsrf-Token: {CSRF TOKEN HERE}
Origin: https://example.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers

After that I replaced the Cookie and CSRF token in the above request and send this request and I was able to see all the data from that organization. In simple terms I can do anything in that organization.

I sent this report to the team and they validated this was the real issue they paid $3,700 for this with bonus and quickly fixed it.

None

Hope so you have enjoyed this :)

Many Thanks

xploiterr