BookMyShow account takeover using social login

Sukhmeet Singh
Fun Apps forwarding Derpina’s access token to BMS and logs into Derpina’s BMS account
Fun Apps forwarding Derpina’s access token to BMS and logs into Derpina’s BMS account
Visual representation of assumption how victim’s access token is used to log into BMS

Disclaimer: This story is just to give you an idea how misconfigured social login can be exploited.

Hello cruel world,

This is a story of an innocent girl Derpina Victims, whose BookMyShow account got hacked because she just wanted to know “when will she die” from a viral stupid Facebook app.

Derpina got to know about this “cool” Facebook app that tells when will she die. All her friends were posting their results so she tried it as well. Little did she know that creator of the app is an evil person who collects access tokens of innocent people and use those tokens to log into BMS.

So how on the earth did BMS allow evil man to log into Derpina’s account?

Because technically BMS just checked if token is a valid FB token and Derpina’s email is in the database or not. BMS didn’t check who issued that access token.

More technical details are well explained by Bhavuk Jain (@bhavukjain1) on his blog.

My finding started with an email from BookMyShow claiming that user’s accounts were compromised because of data leaks of other platforms.

Whether their claim is true or not, I thought to myself we are not living in 2005. There must be something more to this. So I got my tools ready and tried SQL Injection first on login endpoint. Nothing happened. Then I tried Login with Facebook. I noticed that BMS was using access_token for login. So I got access token created by my own app with email scope and used it instead of access token generated by BookMyShow app. Voila, It worked! I got logged into BookMyShow using access token created by a third party app.

Access Token of my Facebook app.
Logged into BMS using access token of my app

Not only Login with Facebook was vulnerable. Just like Facebook, Login with Google was also misconfigured and didn’t check creater of id_token.

Timeline:
13 Jun 2019 at 1:06 AM — Security update email from BookMyShow
13 Jun 2019 at 1:35 AM — Found the vulnerability
13 Jun 2019 at 4:23 AM — Reported with mitigation suggestions
26 Jun 2019 at 9:43 PM — Received email saying the bug has been fixed
28 Jun 2019 at 3:43 PM — Bounty **cough cough** rewarded

Totally unrelated: I am selling ₹2000 worth of BookMyShow GV. If interested, DM me on twitter: @madguyyy

Sukhmeet Singh

Written by

https://twitter.com/MadGuyyy

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade