Free link 🎈
Hey there!😁
Press enter or click to view image in full size
You know that scene in cartoons where one character pulls a single thread and someone’s entire sweater unravels? Yeah, that was me last Tuesday. Except instead of a sweater, it was a multi-million dollar company’s security model, and instead of wool, it was pure, uncut administrative access. All because someone forgot to check if I was allowed to pull that thread. 🧶
It all started when I was testing “CloudSecure,” a fancy enterprise document management platform. I had a basic user account with permissions so restricted I could barely change my profile picture. But as any good hunter knows: where there’s complexity, there’s usually broken complexity.
Act 1: The Innocent Beginning — Just Sharing a File 📁
After my standard recon (seriously, how many times have I typed subfinder -d cloudsecure.com this month?), I found their main API. I created two test accounts: user_a and user_b.
The interesting part came when I shared a document from user_a to user_b. The request looked innocent enough:
POST /api/v3/documents/share HTTP/2
Host: api.cloudsecure.com
Authorization: Bearer…