Story about Facebook Oauth Account Takeover
Hi, My name is Rafli pasya. My hacker name is Zerb0a. On this Story im gonna tell you guys an Account Takeover on iLOTTE. For your information iLOTTE is an eCommerce from South Korea. I found this bug on Facebook Oauth Function. Okay let me explain you the story.
That day, my father just bought something for my grandma. He told me to check the order status ( he paid it ). then my hacker brain began to think of looking for something interesting bug, so i opened burp suite and intercept the Request.
When im trying to login With Facebook, i found a POST request to /loginProccess.do with body :
it’s look’s interesting right ? i changed the id to victim email address and booom ! i logged in as victim account :) so this is working on any Account, you just need an email to login.
After that i contacted the Customer Service, but they did’nt take it seriosly. then when I told her the impact of this bug could cause a loss, the iLOTTE IT team contacted me via WhatsApp. I Gave him a video PoC and after 2 weeks i got my reward , not much but enough for a Student like me :D.
Reward : IDR 2.000.000 ( around $150–160 )
Status : Fixed & Rewarded ( Accepted For Public Disclosure )