Medium · CVSS 4Improper Access Control - Generic (CWE-284)
Users can change project visibility which requires high subscription by just changing request body
Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3370430 by hossam25
Summary:
A Broken Access Control vulnerability allows users to change project visibility — a feature restricted to higher subscription tiers — by simply modifying the request body of visibility to Personal or Workspace. This bypasses subscription checks, enabling unauthorized access to premium functionality
Steps To Reproduce:
- On the burp, enable intercept
- On Lovabl, write anything to build a project
- Click create and go to burp to endpoint
https://lovable-api.com/workspaces/{YOUR-WORKSPACE-ID}/projects - On the body of the request change the visibility to Personal or Workspace which requires paid subscription
{"description":"landing view","visibility":"Personal","initial_message":{"id":"umsg_01k6qkw83ze07t9f7m9p3jabs9","message":"landing view","files":[],"optimisticImageUrls":[],"chat_only":false,"agent_mode_enabled":false,"ai_message_id":"aimsg_01k6qkw841e07t9f7ytpghd6bs"}}
Related Writeups
hidalg0dUnauthenticated OAuth Token Leading to Access to Protected APIs
What started as a simple JavaScript analysis ended in a broken OAuth flow that allowed unauthenticated access to protected APIs — and a €1500 bug bounty reward.
Read Writeup →
hackerone-reportsCan download files on Android app without permission
HackerOne disclosed report --> https://hackerone.com/reports/2380133 by hakuna
Read Writeup →
hackerone-reportsEasy way to create a new Deck board without permission
HackerOne disclosed report --> https://hackerone.com/reports/2388183 by hakuna
Read Writeup →