User Data from the Asana S3 Bucket can be leaked via Presigned URL and OSINT

Disclosed by
jakubjn
  • Engagement Asana
  • Disclosed date 8 months ago
  • Reward $2,500
  • Priority P2 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by jakubjn

An S3 Bucket Misconfiguration allowed an attacker to set an arbitrary S3 Path and have it signed by the server. S3 Keys could be mined from online sources, putting a number of Asana Attachments at risk.

The vulnerability was found in the following websocket request:

{
  "msg": "mutation",
  "method": "/s3_attachment_create",
  "params": {
    "http_method": "post",
    "endpoint_data": {
      "global_id": "...",
      "domain": "...",
      "filesize": 1000,
      "s3_path": "S3_PATH",
      "__app_name": "Asana",
      "__session_id": "..."
    }
  },
  "id": "..."
}

Where "s3_path" was a parameter discovered in the JavaScript code. The original parameter: "key_suffix" was not vulnerable.

Activity