Improper Access Control – Generic: Unrestricted access to any “connected pack” on docs in coda.io

Summary:

When adding a pack to the coda.io doc, a post request is sent to https://coda.io/internalAppApi/documents/[doc ID]/packs with data {"packId":[pack Id]} where doc ID is the id of doc user wishes to add pack and pack ID is the pack user wants to install.

But this request was unrestricted and the user could iterate the packId to get any free/pro/disabled pack.

Report: https://hackerone.com/reports/777942

Leave a Reply