Stealing Cookies to Login in any Account

Osama Avvan
Jun 16, 2019 · 3 min read

Hi,

So this is my first write up, This write up is about how I was able to get into other users account, by stealing their cookies. It was a private program on bugcrowd, let’s just say the program was named Redact.

I created my account on one of the domains of the program https://passport.redact.com, after that, I open up another domain which was https://redact.com.cn and I was automatically logged in without creating an account on that domain as it was using the https://passport.redact.com account to authenticate users, so either create an account or use the https://passport.redact.com account. So as I was playing in the browser console to get something interesting at https://redact.com.cn I typed the Program name in console Redact and I got something RedactId, it was a javascript Object with user information like user Id and email so now I tried to find the JS file from which this object was created and luckily I got that file.

So after reading that file source code, I got my eyes on a function which was requesting logged in user cookies from the server and was sending that cookie to a subdomain https://reg.redact.com.cn to get user Id and email, the complete URL was like this https://reg.redact.com.cn/auth/setcookie?cookie=usercookie&domain=redact.com.cn

Image for post
Image for post

So now I downloaded that file and modified the source code to log the user cookie in console instead of sending it to https://reg.redact.com.cn and uploaded that modified file on my server and I was hoping that it should log the cookies in the console.

Image for post
Image for post

and it worked the whole URL with cookie was logged in my server console, now it was time to test that am I able to log in my account using that cookie.

Image for post
Image for post

So when I opened this URL in the incognito window I got a response like this sum=sum+1, so to confirm if I was able to login in the account I opened up https://redact.com.cn and yes I was logged in my account.

So now in order to log into other users account I just have to send them this URL of the modified js file on my server, and their cookies will be stored on my server.

It was a weird bug and it was hard to explain to the Program that how it was exploited, but the wait was worth it.

Image for post
Image for post

Thank You for Reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store