How I logged into user accounts with no information
Hello Everyone,
This was one of the easiest bugs I found. Unfortunately this website did not have a bug bounty program so in place an email was sent to them.
Background
The website, we will call simply website.com is a site I personally use, I had signed up for text alerts and the morning of, I had gotten a text mentioning offers and to login to my account to check it out with a link provided. I had recieved messages in the past from them and they all looked similar to what is below.
Your offers from website.com are ready: website.com/d/123aBThe Bug
For once I decided to click it, as I knew this was their official number, I figured no harm and checking. But when I went to the link I noticed I was instantly brought to the offers under my profile tab, I had always went to the website from my desktop not my phone. But sure enough when I clicked on the Account tab all of my info was right there.
To verify this, I followed the link on my laptop in an icognito tab and noticed I was logged in instantly once again. This is when I realized if I can just change the ending of the path, I could login to whoevers account. I quickly fired up burp and launced the Intruder
I decided to just try modifying the two letters on the end to start and after a short amount of time I got the url website.com/d/123e, I then copied the URL and pasted it in an icognito browser and BINGO! I was in somebody elses account, now I could modify their info as well as see name, DoB, email, phone, and interests they set. I was able to gather all of this without even knowing the users ID.
Before some of you might mention it could be a one-time or time based login, unfortunately I was reviewing my messages from them and noticed they had sent the same URL but over a month prior to this discovery.
I then found an email to reach support and wrote a report explaining the findings, the dangers and ways to patch.
Update: They are working on a patch and I was rewarded a 5 year membership for reporting it!
Thanks for reading!
