Privilege escalation from unauthenticated user to premium

shesha sai_c
Nov 5 · 1 min read

hello hunters! back with another awesome hunting story

TARGET: “Leetcode.com”

Note : the bug is fixed ! Ofcourse

lets get back to the businesss im a fellow hunter like you please ignore me if i do any mistakes the bug is all about privilige escalation where the site uses the Single sign on (SSO) , where i took the advantage of this functionality to access the premium content

long story short! the website divides the content from premium user to normal user and unauthenitcated user where normal user and unauthenticated users both have same content accessibility so this mean this vulnerabilty can be performed using unauthenticated user too

the single-sign-on feature makes sure that whether the user is the premium user or normal user if hes a normal user when he tries to access the premium content it show error message now the sexy part comes around when i lurking in to it for a juicy stuff i came up with the response which verifiying whether im a premium user so i changed that isPremium:false -> isPremium: true as its single-sign-on i thought it may work and then forwarded the request Boom! im a premium user and can access the premium contect with no worries

video Poc

Reported: oct 25 2019

triaged and awarded: oct 31 2019

patch confirmation : Nov 5 2019

hope its useful for you happy hunting hunters

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade