Privilege Escalation Leads to making authenticated actions (payment processing, creating invoices.. etc)

Introduction

Today, I’m going to show how unauthenticated users can make (payment processing, creating invoices.. etc)!

First of all, This was a public program, but the vulnerability is not fixed yet so I will refer to it with target.com.

This domain is sandbox but they said

We have ensured the sandbox has the same functionality needed for testing

Summary

When a user creates a new account he must wait for the acceptance period (2–3 days) during this period he should not be able to make authenticated actions e.g (payment processing, creating invoices.. etc) since he’s not accepted yet. however this case it’s not applied to the API keys acquired from commerce/account/apiKeys?

Proof Of Concept

When a user registers a new account on `target.com/commerce`, he waits a few days for approval or rejection. When this user tries to log in to their account, he redirects to

target.com/commerce/login/auth -> target.com/commerce/login/dashboard -> target.com/commerce/login/denied

I tried to log in again and stop at `target.com/commerce/login/dashboard` then I found the user can access his dashboard and can have the authorized to see his account, customer, payment, Settings … etc and he can’t make any action. it’s just view pages.

But if we see the requests sent in burp, we will find API key endpoint `commerce/apiKeys?appkey=false&source=Ecomerce` which is related to the user’s account

Although he cannot access the API without logging in (as it was not approved or rejected)

After getting API keys I went to their API documentation and see how I can [create, list, update, delete & find] The [payment, plan, invoices …. etc] all and all of these functions worked with me :”D this is the result

Bug Submitted in Apr 2021 and is not fixed until now :”D