Privilege escalation from unauthenticated user to premium
hello hunters! back with another awesome hunting story
TARGET: “Leetcode.com”
Note : the bug is fixed ! Ofcourse
lets get back to the businesss im a fellow hunter like you please ignore me if i do any mistakes the bug is all about privilige escalation where the site uses the Single sign on (SSO) , where i took the advantage of this functionality to access the premium content
long story short! the website divides the content from premium user to normal user and unauthenitcated user where normal user and unauthenticated users both have same content accessibility so this mean this vulnerabilty can be performed using unauthenticated user too
the single-sign-on feature makes sure that whether the user is the premium user or normal user if hes a normal user when he tries to access the premium content it show error message now the sexy part comes around when i lurking in to it for a juicy stuff i came up with the response which verifiying whether im a premium user so i changed that isPremium:false -> isPremium: true as its single-sign-on i thought it may work and then forwarded the request Boom! im a premium user and can access the premium contect with no worries
video Poc
Reported: oct 25 2019
triaged and awarded: oct 31 2019
patch confirmation : Nov 5 2019
hope its useful for you happy hunting hunters
