How I was able to takeover account’s of an Earning App
Hey Everyone, I intend to write this one down to express my methodology for this bug that I found in one of the the best Earning app.
With that being said, let’s start 😃
I was searching on Google playstore “ Real Money Earning apps” and I selected the first one..I create a account and start earning money.. when I earned upto a 1.08 dollar in 1 week :( now I have decided to cashout this money . so I clicked on cashout button in app.. It’s redirect me to account on their web page .
While redirecting I notice their is no session token I was wow:)
now I changed mymail@ to test@ and the webpage result was “Please correct your Client-id and user-key”
Now It’s time to get dig into more..Their was feature in app chatting. I decided to dig.I open myaccount in Firefox which is configure with burp and testaccount on my phone I meassage to myacc from testacc .I recieved a notification and Intercept the notification message by clicking on it will show all the info relted to message and also its show me user id and user key..in Burp Repeater Response
Now I put this id&key in
able to login victime account successfully…Simple
Hope you guys like this…Thanks for reading and sorry for poor engish:/
Report on 27–09–2018
Fixed They added session token’s for unique user per session ..