Sometimes the smallest input validation issues can snowball into serious business logic flaws. This bug is a great example — a simple newline character (%0a) in a folder name was enough to block owners from revoking access rights, leaving attackers stuck with elevated privileges.

Understanding the Target

CollabSpace(pseudo name for private bbp product) is a cloud-based platform for project collaboration, offering resource sharing, folder management, and granular access controls. Owners can share resources and grant collaborators rights such as View, Edit, or Transfer Edit Rights.

To maintain control, project owners should always be able to revoke or update collaborator access. However, this restriction was bypassed by abusing folder naming logic.

The Flaw: Newline Injection in Folder Names

The vulnerability occurred because the backend failed to validate folder names properly. By creating a folder with a newline character (%0a) at the start of its name, the system broke critical permission workflows.

Here’s the malicious request:

POST /api/v1/fs?path=&rid=<resource_id>&dirname=%0aattackerfolder HTTP/2
Host: collabspace.com

This created a folder with a malformed name that disrupted backend path handling.

Steps to Reproduce

1. Owner grants Transfer Edit Rights to a collaborator (attacker).
2. Attacker(editor user) creates a folder with %0a at the start of the folder name.
3. Owner attempts to revoke rights or delete the folder

• This action fails due to backend errors triggered by the malformed folder name.

Result: The attacker retains their access indefinitely.

Impact

• Persistent Access: Attackers could keep edit rights permanently.
• Denial of Control: Owners couldn’t revoke access or delete malicious folders.
• Workflow Disruption: Ownership revocation logic was effectively broken.
• Potential Abuse: Attackers could create multiple such folders, locking down workspaces.

Bounty & Program Response

• Reported: July 7, 2025
• Triaged: July 9, 2025
• Severity: High (8.5) → downgraded to Medium (6.0)
• Bounty Awarded: $500 + $250 bonus

The program acknowledged that although the confidentiality impact was low, this was a well-crafted and creative finding that broke ownership workflows, which earned a bonus.

Key Takeaways

• Always check user inputs, including folder and file names.
• Small oversights in business logic can cause privilege persistence issues.
• Test boundaries with unusual inputs: newlines, nulls, special characters often reveal flaws.
• Even if a bug seems minor, well-documented reports can lead to bonus rewards.

Conclusion

This was a unique case where a simple newline injection caused project owners to lose control over collaborator access. It highlights how critical input validation is for access control and ownership workflows.

Until next time, happy hacking! 🚀

Connect and Engage

💬 What’s your experience with business logic bugs?

Follow me on Twitter: @a13h1_

Keep clapping, commenting, and sharing your thoughts — your support motivates me to share more real bug bounty stories!