Fixed privilege escalation allowing users with role “Privileged” to invite “Admin” users

On Monday 21.4.2021 our customer Andreas Buchenrieder alerted us to a bug in our user invitation form on the Tideways backend. The bug allowed users with the role “Privileged” to invite new users with the role “Admin” into an organization. This allowed users to potentially increase their privileges beyond what an admin of the organization intended.

On Tuesday morning (22.4.2021) we rolled out a fix to production that prevents this bug. No further actions are necessary on the customer’s side.

We were able to reconstruct that this bug was never used with malicious intent by analyzing our invitation database table logs.

However, the escalation occurred with good intentions in 6 organizations where users with role “privileged” invited their colleagues with the role “admin”. As a precaution we have demoted these accidental invites on Tuesday and informed the affected customers individually.

With the admin role, these users could potentially have created/deleted new projects, viewed and made changes to the subscription, viewed invoices or invited other admins. None of these operations were used by the over-privileged users based on the log files we keep of all the changes made to organizations.

As a reaction to this bug we have reviewed the invitation and user roles code in detail and increased the automated test coverage to prevent similar bugs in the future.

Please review the documentation on details which actions each role can perform.

Timeline:

  • Monday 26.04.2021
    • Customer informed us about security vulnerability
    • Identified six affected organizations and demoted escalated admin users to privileged role
  • Tuesday 27.04.2021
    • Rolled out bugfix to production
    • Began analysis of escalated admin user actions based on log files of all changes to admin operations, finding no malicious intent
  • Friday 30.04.2021
    • Notified affected customers
    • Published this Security Note

Components

  • Security

Published

30.04.2021