How I made 1000$ with AT&T Bug Bounty(H1)

Adesh Kolte
Oct 2 · 3 min read

Hello, Guys, I m back with a new Story on bug bounty, I found this bug last year on AT&T bug bounty program (Now its H1 Program), thought of sharing it

So here I would like to share how I got 1000$ for reporting CSRF vulnerability in AT&T which Leads to user account takeover

here you will get to know the importance of Account Takeover 👊:v:) ,

So here’s how it went on, earlier during my engineering 3rdyear, I had too much free time, That time my daily schedule was like,

Eat-> Sleep -> Bug Hunting -> Repeat

CSRF (Cross site request forgery) is the vulnerability that tricks the user to submit the malicious request if there is no implementation of the Anti-CSRF tokens in the forms or site. When implemented your website https://example.com will include a random generated number or token to every page which is impossible to guess by the attacker so https://example.com will include it when they serve it to you. It differs each time they serve any page to anybody so attacker won’t be able to generate a valid request because of the wrong token.

Vulnerability: CSRF/XSRF (Cross site request forgery)
Severity: Critical

  • The target is https://www.att.com.mx/tienda/customer/account/editPost/
  • Create two accounts csrfattacker (Mozilla) and csrfvictim (Chrome) or you can also test it with one account.
  • After login in both accounts with different browsers go to account settings and click on edit in mozilla.
  • Open any web proxy tool to intercept the request of the profile change
  • We can exploit the form both ways manual/automated but we’ll Use automated exploitation with burp
  • Right click on request and select Engagement tools and click on ‘Generate PoC request’, Here copy HTML and save it as csrf.htm
CSRF Poc
  • change the email id in the html if you want takeover with email. you can use password too for takeover. If you’re trying to exploit manually you can just use one ‘email’ field (Mendatory (*) fields are needed, rest you can delete) and exploit the request.
  • In new tab in chrome open csrf.html and click on submit request and you’ll get victim’s account with Email/Password, to cross verify you can refresh the first tab.

Thank u for reading this article

Got 1000$ Bounty From HackerOne

Have a happy hunting

.

Written by

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade