Stealing Cookies to Login in any Account

Osama Avvan
Jun 16 · 3 min read

Hi,

So this is my first write up, This write up is about how I was able to get into other users account, by stealing their cookies. It was a private program on bugcrowd, let’s just say the program was named Redact.

I created my account on one of the domains of the program https://passport.redact.com, after that, I open up another domain which was https://redact.com.cn and I was automatically logged in without creating an account on that domain as it was using the https://passport.redact.com account to authenticate users, so either create an account or use the https://passport.redact.com account. So as I was playing in the browser console to get something interesting at https://redact.com.cn I typed the Program name in console Redact and I got something RedactId, it was a javascript Object with user information like user Id and email so now I tried to find the JS file from which this object was created and luckily I got that file.

So after reading that file source code, I got my eyes on a function which was requesting logged in user cookies from the server and was sending that cookie to a subdomain https://reg.redact.com.cn to get user Id and email, the complete URL was like this https://reg.redact.com.cn/auth/setcookie?cookie=usercookie&domain=redact.com.cn

So now I downloaded that file and modified the source code to log the user cookie in console instead of sending it to https://reg.redact.com.cn and uploaded that modified file on my server and I was hoping that it should log the cookies in the console.

and it worked the whole URL with cookie was logged in my server console, now it was time to test that am I able to log in my account using that cookie.

So when I opened this URL in the incognito window I got a response like this sum=sum+1, so to confirm if I was able to login in the account I opened up https://redact.com.cn and yes I was logged in my account.

So now in order to log into other users account I just have to send them this URL of the modified js file on my server, and their cookies will be stored on my server.

It was a weird bug and it was hard to explain to the Program that how it was exploited, but the wait was worth it.

Thank You for Reading.

Osama Avvan

Written by

Security Researcher, ❤️ To Code. Find me at: https://twitter.com/osamaavvan https://facebook.com/cyber.spidey