How I made 1000$ with AT&T Bug Bounty(H1)

Image for post
Image for post

Hello, Guys, I m back with a new Story on bug bounty, I found this bug last year on AT&T bug bounty program (Now its H1 Program), thought of sharing it

So here I would like to share how I got 1000$ for reporting CSRF vulnerability in AT&T which Leads to user account takeover

here you will get to know the importance of Account Takeover 👊:v:) ,

So here’s how it went on, earlier during my engineering 3rdyear, I had too much free time, That time my daily schedule was like,

Eat-> Sleep -> Bug Hunting -> Repeat

CSRF (Cross site request forgery) is the vulnerability that tricks the user to submit the malicious request if there is no implementation of the Anti-CSRF tokens in the forms or site. When implemented your website https://example.com will include a random generated number or token to every page which is impossible to guess by the attacker so https://example.com will include it when they serve it to you. It differs each time they serve any page to anybody so attacker won’t be able to generate a valid request because of the wrong token.

Vulnerability: CSRF/XSRF (Cross site request forgery)
Severity: Critical

  • The target is https://www.att.com.mx/tienda/customer/account/editPost/
  • Create two accounts csrfattacker (Mozilla) and csrfvictim (Chrome) or you can also test it with one account.
  • After login in both accounts with different browsers go to account settings and click on edit in mozilla.
  • Open any web proxy tool to intercept the request of the profile change
  • We can exploit the form both ways manual/automated but we’ll Use automated exploitation with burp
  • Right click on request and select Engagement tools and click on ‘Generate PoC request’, Here copy HTML and save it as csrf.htm
Image for post
Image for post
CSRF Poc
  • change the email id in the html if you want takeover with email. you can use password too for takeover. If you’re trying to exploit manually you can just use one ‘email’ field (Mendatory (*) fields are needed, rest you can delete) and exploit the request.
  • In new tab in chrome open csrf.html and click on submit request and you’ll get victim’s account with Email/Password, to cross verify you can refresh the first tab.

Thank u for reading this article

Image for post
Image for post

Got 1000$ Bounty From HackerOne

Image for post
Image for post

Have a happy hunting

.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store