What is IDOR ?
Why IDOR happen?
Delete Account form
Code working on /user/delete_account/
Steps to Reproduce : “A” Admin & “B” Attacker
In “B” account u do not have option to delete comment of admin which is “A”
HTTP Request Example
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
Accept: application/json, text/plain, /
Accept-Encoding: gzip, deflate, sdch
Cookie: ** Cookies Goes Here **
Bug Timeline :
Badoo is a dating-focused social networking service, founded in 2006and headquarters in Soho, London. The site operates in 180 countries and is most popular in Latin America, Spain, Italy and France. Badoo ranks as the 281st most popular website in the world, according to Alexa Internet as of April 2014. The site operates on a freemiummodel. To gain extra features, a user can pay a fee or allow Badoo to email all his/her friends.
Lets start 😉
Firstly i wanna thank my friend Rudra who always encourage me 🙂 He given me a simple link and i took out an account takeover from it 😈
The bug was really very simple, it works on a CSRF & A token missconfiguration. And only valid for https://m.Badoo.com
When we import photos from Facebook or Instagram it do not have any anti-CSRF token, the Facebook token which generated via Badoo is valid for everyuser. Now i can give a link to a user of my fb account to import photos, if user will press okay then photo will be imported to his account.
But how i got an takeover here ?
The thing i noticed that the link generated is also replace the user FB linked account with attacker’s FB account and the best part was user just need to visit link no cancel or okay pressing required.😛
Now an attacker can login via FB and fully takeover the account and can access all his chat, private photos and everything 😂
The bug is patched within 2 days of intial report. Reward ($850) was pretty less from my expectation 😥.
Steps to reproduce was :-
1 -Create two Badoo account attacker & victim and link 2 diff fb account in each of them
2- Login as ‘attacker’ and go to import photos via fb and copy the link from URL bar
3- Now login as ‘victim’ in diffrent browser and open the link and click cancel.
4- FB account of ‘victim’ is replaced with FB account of ‘attacker’ (Removed from ‘attacker’ one)
5-Login via attacker’s FB account and you will be logged in as ‘victim’ account
Congo u just hacked victim account
Suppose a user have an account of attacker ‘A’ with FB linked which ‘FB-of-A’ and a victim account ‘B’ with fb linked which is ‘FB-of-B’ now attacker create a link to import photos from his fb and give it to victim ‘B’ he opens it and press cancel but this have changed his FB account ‘FB-of-B’ to attacker’s FB account ‘FB-of-A’, And now attacker can login with his fb account in victim’s badoo account.
I can chat with my victim on Badoo and can have hacked his/her account in 5 minutes 😝
09 March : Reported
10 March : Bounty Rewarded
11 March : Bug patched
So how sub-domain takeover work ?
If we talk in simple words it happen when domain manager point Subdomain to an external server but forget to claim on external service or expire of account in this case any one can claim it and place content on it 😮.
My friend got good skills in dorking so apart from wordlist sub domain bruter he started qith his dorking and got a sub domaim http://web.mopub.com which was pointing to DYN servers (It is service to redirect and DNS manager like features)
And then i tried to claim it via trial but DYN not accepting Indian credit card, i tested im another account of DYN then it given me an error which means domain already claim this is beacause i added it to my cart, That clearly means that they don’t claimed that subdomain (I was already pretty sure with error on Subdomain but i confirmed it ) Now i reported it on theory based report but twitter keep saying Need more info but after a clear theory explanation ans cart PoC they finally triaged😇.
But the main part start here i removed Subdomain from my DYN account and someone claimed it with US card #_#
😤😤😤 Now i have PoC also 🙂 i given this to twitter ( Bounty already rewarded )
They patched it by removing DYN entries.
My Tip to all newbie, Not always XSS and pre defined you will get. You should have an eye on what going around your target.
Thanks to that guy who claimed it 😂😆
“My Friend” = Rudra Pratap Singh
28 Feb 2016 — Bug found and Reported
29 Feb 2016 — Need more information
29 Feb 2016 — More info send by friend
01 Mar 2016 — Need more information
01 Mar 2016 — More information sent by me
02 Mar 2016 — Triaged
05 Mar 2016 — 280$ Bounty rewarded
10 Mar 2016 — Issue Resolved
The whole matter started when one of my best friend “Aakash Kumar” got acknowledged on Microsoft :O i decided i need to come up on that list too 😛
I was getting mad regarding HoF of MS, Then i stated getting subdomain 😀 and then i got a subdomain where i can make a tenant page on MS and it have open redirect but i was afraid of invalid for this issue. The URL is mentioned bellow.
Then i tried the same parameter on :-
the crafted link was :
And woah ! it got redirected and the best thing was it doesn’t require any sign in or anything, direct redirection to any domain @__@
14 Feb : Bug found and reported
15 Feb : Case opened from MS
04 March : HoF + MSDN Subscription rewarded
How It’s Going Out There?
While Browsing Over The Internet I Found That (funcaptcha.com) Was Having A Bug Bounty Programme.
So When I Was Signing Up I Noticed That I Was Able To Create A Account Without Even Entering A Password.
Wanna Know How I Did It?
HOF Page–>Hall Of Fame
Yes I Know It Was Nooby But I Like To Keep It Simple <3
Thanks For Reading.
What is Medium ?
Medium is a blog-publishing platform founded by Twitter co-founder Evan Williams in August 2012, The platform has evolved into a hybrid of non-professional contributions and professional, paid contributions, an example of social journalism. Some of its publications include the online music magazine Cuepoint, edited by Jonathan Shecter, and the technology publication Backchannel, edited by Steven Levy.
Well, The whole furore started when a lil asshole challenged me to found out a bug in Medium and guess what ??? I took the shit out of the medium haha ! I used to be a black hat hacker but that lil asshole made me a white hat hacker 🙁 .
So lets the test of site start, Medium website was something differ from all the other website out there, firstly i tried to have some CSRF in my hand but unfortunately i aint got it then i looked forward for XSS , Open Redirect but i wasnt getting a shit, i was like “I’m gonna lose this challenge” then next day i checked the mails from Medium in my personal email account , i was like “WTF ? i registered with my main email to let them spam ?”, I immediately changed the email to my another fake email account after changing it Medium requested me to confirm New Email ( Obviously ) my mind said lets try to confirm new email with that old link on my main email account, i clicked that old link and BOOM it confirmed my new email :O i said yeah got it.
I reported it immediately, and got a fast respond in 36 Hours
We’re looking into this. I’ll get back to you soon. Thanks for reporting it.
and in next 48 hours
Thanks again for reporting this issue. Our engineers have determined that this report meets the following criteria:
Bugs leaking or bypassing significant security controls: $250
as outlined in our Bug Bounty program policy: https://medium.com/policy/
We’d would like to send you a Medium t-shirt to say thanks as well. We’d also like to add you to our humans.txt page (https://medium.com/humans.txt
Please let us know where to send a shirt and what size you wear. Also, let me know how you’d like your name to appear on humans.txt.
I’ll email you and Cc our accounting team to facilitate the money part of the reward getting to you.
😀 😀 Got my first bounty + swag + HoF
Jan 22 ‘ 2016 : Bug Found and reported
Jan 26 ‘ 2016 : Triaged ( Under Investigation )
Jan 27 ‘ 2016 : Bounty+Swag Rewarded
What about that asshole ? he blocked me 🙁 🙁
Video PoC –
I HOPE YOU LIKE THE WRITE ITS MY FIRST 😛