How I hacked

(and I found a vulnerability that allowed to steal access tokens)

By @jacopoMii


This was the first bounty I attended, and this is my first writeup in English.
I’m just an Italian student with a strong wish to learn new IT-Security stuffs and with a strong belief about ethical hacking.
If someone finds errors or wants to give me suggestions, please contact me.


From Wikipedia:

AlterVista is an Italian web platform where you can open a website for free.
On AlterVista you can create a website with PHP, MySQL database and FTP access.
Use of the space is free but some additional services are subject to charges.
Altervista was bought by Mondadori spa in 2016 and today it hosts about 3 million sites.

Altervista allows you to manage your website via a comfortable web panel after having logged in.

Altervista also has a forum where people can ask for programming questions and participate in community life:

Image for post
The Altervista Forum

How the login system works

I wandered on Altervista for a while, until I noticed that if you had already logged in to the administration panel of your site, to log in on the forum you just have to click on the “Login” button, without having to retype your credentials; so I started studying how that button works:

It was a simple link for

If you have already authenticated, that page does nothing more than generate an “authorization_code” and then redirect you to
The strange parameter “do” contains the word “login” and then the link “" coded in base64 (I know, that’s a strange choice).
Parameter “authorization_code” contains the “authorization_code” generated before.
If you haven’t authenticated yet, it first asks you for your username and password and then redirects you in the same way.

How I came to discover the vulnerability

The vulnerability is that if we can change the value of the “redirect_uri” get-parameter, we can create a special link that if clicked redirects the user to our servers instead of the altervista server, allowing us to steal the authorization_code that is added at the end of the url (and then login with profile of other people).

Unfortunately there seemed to be a filter on the parameter, which accepted only subdomains of

At this point I remembered a video of LiveOverflow:


Where he shows that often programmers make mistakes when they have to parse urls, especially when the input is not compliant with specifications.

Then I started fuzzing, until I found a way to bypass the filter:

It redirects you as follow:

Image for post
We can steal access token

So if instead of we put our malicious server address here, we can steal the access token.
And then login with it:

Image for post
Logged in with other person profile


I immediately reported my discovery to Altervista through the appropriate form, and they fixed it almost immediately.
As a reward, they added my name to the thanks list:

Image for post
Thanks list screenshot


- 02 January 2018: Started looking for vulnerabilities on
- 03 January 2018: Discovered vulnerability and sent a PoC to Security Team
- 04 January 2018: Patch went online and my name was added to thanks list

Written by

20y old, ICT enthusiast, Cybersecurity student and CTF player

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store