- First of all, let’s understand the website
- - The site was a platform and each user has a profile
- website was using a value for any change or any movement on the website that uses the Userid value
- I started trying to understand the website, and I discovered that the userId is responsible for everything
- I saw that the site, if you want to change the profile or update your account information, uses the userid value
- So This means that the site does not check the cookie or the jwt token, but it checks the value of the userid
After I knew that it depends only on the userid, I said, “I want to know this value, how does it arise or how does it happen?”
- I created a second account to see if the userid value is similar or not, but unfortunately it turned out to be completely different
- I tried to check the js files to see if there is a specific algorithm to create the userid value or not, but unfortunately I didn’t get anything
- The Next day I completed checking the site and I forgot the idea of the userid
- While checking the site, I was inside one of the profiles and opened the source code
- CTRL+ F -> Userid
- I was shocked when I saw the userid value in the source code
- So, I went to the profile, right with the second account, and took the userid value
- I did update email for my first account and changed the userid value to my second account
- So I was able to change the account email, and thus I could Account-take-over on the platform without any interaction from the user!
— — — — — — — — — — — — — -
Takeaways :
- Always check the source code
- Understand how the website works
thank you for reading
Wlc To my Twitter :
https://twitter.com/@omarzzu