How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener

Hi, today I will tell you how I hacked one service and successfully managed to get administrator rights.

(This issue has been reported to company’s bug bounty program at https://hackerone.com/ok and is now fixed)

There is a service for shortening links “https://okl.lt”
I searched for something there for a long time but my attempts were unsuccessful, since the average user has practically no functionality there

And suddenly it occurred to me to look at the scripts/styles associated with the site

I found an interesting js script: https://okl.lt/js/2236ccc.js

I saw the Jquery library there, and thought that there would be very little interesting or nothing at all… 😓

Nevertheless, I decided to look, and it was not in vain, I saw all the API methods, and the functions of this service 😻

Image for post
Image for post
OMG

It was there that I saw the functions of the administrator…

Image for post
Image for post
Adm Func

I decided to make a request and try to perform one of the functions (I was sure that this would not work because everyone makes very cruel checks)

{"result":true,"people":null}

I did not show you the request itself, but it was successfully completed! and I saw this answer! 😂🤗

I immediately ran to write my report to this program

Timeline:

changed the status to Triaged. (Apr 24th)

Fix (Apr 25th)

Bounty( Apr 26th) $500

The guys made a correction very quickly, the vulnerability was aggravated by the fact that absolutely any user could see
this and take advantage for their own purposes.

Report: https://hackerone.com/reports/547145
Twitter: https://twitter.com/iframe0x01

Happy hunting :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store