ClassroomIO Privilege Escalation Vulnerability via Email Verification Bypass

A privilege escalation vulnerability has been identified in ClassroomIO versions prior to 0.2.6. This issue allows remote attackers to bypass the email verification process, enabling them to mark any user's email as verified, including that of administrators, without access to the victim's email inbox. The vulnerability arises from the application's reliance on client-controlled data for email verification and the use of unsigned, unvalidated Base64-encoded tokens in verification links.

Impact

Exploitation of this vulnerability completely bypasses the email verification process, allowing unauthorized users to gain verified status. This could lead to impersonation of verified staff members, unauthorized access to organizational resources, and potential privilege escalation, particularly for accounts with administrative rights.

Reproduction

The vulnerability can be reproduced by manipulating the email verification process through two methods. The first method involves intercepting a request to the profile endpoint, modifying the 'is_email_verified' field, and sending the altered request. The second method entails forging a verification token by creating a Base64-encoded JSON payload with a victim's profile information and sending it via the verification endpoint.

Remediation

Users are advised to upgrade to ClassroomIO version 0.2.6 or later, where this vulnerability has been addressed.