Story about Facebook Oauth Account Takeover

Image for post
Image for post

Hi, My name is Rafli pasya. My hacker name is Zerb0a. On this Story im gonna tell you guys an Account Takeover on iLOTTE. For your information iLOTTE is an eCommerce from South Korea. I found this bug on Facebook Oauth Function. Okay let me explain you the story.

That day, my father just bought something for my grandma. He told me to check the order status ( he paid it ). then my hacker brain began to think of looking for something interesting bug, so i opened burp suite and intercept the Request.

When im trying to login With Facebook, i found a POST request to /loginProccess.do with body :
sometokenparamter=&andiforgotittoo=&id=[myfacebookemail]

it’s look’s interesting right ? i changed the id to victim email address and booom ! i logged in as victim account :) so this is working on any Account, you just need an email to login.

Video PoC:

PoC Video From my Channel

After that i contacted the Customer Service, but they did’nt take it seriosly. then when I told her the impact of this bug could cause a loss, the iLOTTE IT team contacted me via WhatsApp. I Gave him a video PoC and after 2 weeks i got my reward , not much but enough for a Student like me :D.

Image for post
Image for post

Reward : IDR 2.000.000 ( around $150–160 )

Status : Fixed & Rewarded ( Accepted For Public Disclosure )

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store