[Security Advisory] todoist Unauthorized Third Party Access Vulnerability

On September 20th 2016 I reported the following vulnerability to the todoist Team.

A design flaw exists in the way the registration / invitation process is handled.

Description
*************

– A todoist user invites another person via email.

– The recipient of this invitation can join the todoist project by using the provided link with a URL parameter containing the invitation key in the invitation email. The recipient can login in with an existing account or create a new one.

Impact:
*********

The invitation key is not bound to the recipients email on the server side application. Thus, anyone who gets access to the Email or invitation key can join the project regardless of the provided Email address when following the invitation link. The risk of exposing the Email surely depends on the users behavior but in the days of free public and unencrypted WiFi everywhere I would rate this vulnerability as medium to high as unauthorized third parties would be able to access regular users content. If such a breach happens and becomes public the damage caused to your business and to the trust of your customers would be high.

Recommendation:
*********************

It is recommended to create a relationship between the invitation key and the recipients email address within the logic of the server side application. If a user tries to create an account with another email address that differs from the original recipients email address the invitation key should be invalidated.

Timeline
*********************

20.09.2016 Repoted vuln to todoist Team

22.09.2016 1st Response from todoist requesting more details

22.09.2016 Detailed information about vuln sent to todoist with notification of responsible disclosure after 90 days or later

22.09.2016 Answer by todoist stating that the issue will be reported to dev team

today: No confirmation or further corespondence received