TYPE
access control bypass
vertical privilege escalation
unprotected functionality
This is a personal data breach and encryption bypass which bypassed the standard encryption mechanism within the GlueUp/EventBank invoicing systems.
The issue, when discovered, was not known whether it is being exploited in the wild.
This issue affects all customers who used GlueUp (formerly EventBank) as their CRM solutions
STATUS
ISSUE DISCOVERED:
16 DEC 2021
ISSUE REPORTED:
17 DEC 2021
ISSUE FIXED:
5 JAN 2022
CONFIRMED FIXED:
20 JAN 2022
As of 20 Jan 2022, the issue has been resolved. Attackers will be unable to access such invoices.
DESCRIPTION/ ENVIRONMENT
ENVIRONMENT: CHROME 96 ( issue was reproducible in all browser environment)
AFFECTS: The issue was reproducible in all environment.
AREA: GlueUp/Eventbank Invoicing system for participants/ membership renewals (including the global glueup.com version, Chinese glueup.cn version, and the Russian glueup.ru version)
STEPS TO REPRODUCE
Login to GlueUp management system (and access the invoice system)
Go to the invoices tab and click copy link when prompted to download the invoices
Link goes like that (xxxxxx.glueup.zz/******/yyyyyy) (zz can be .cn, .ru, or .com, which depends on the consumer environment) (xxxxxx can be any glueup user entity, except www) (yyyyyy is a six-digit number of the invoice)
The invoice will be downloaded, but the "yyyyyy" can be changed to any six-figure number. One can use brute-force to download the invoices.
EXPECTED RESULT
There should originally be access control for accessing the invoices, before the invoices are downloaded in any way or form.
ACTUAL RESULT
THE INVOICES ARE DOWNLOADED, without access control checks, if such invoice number existed.