Bypassing Access Control in a Program on Hackerone !!

Sahil Tikoo
Dec 30, 2018 · 3 min read
Image for post
Image for post
Wakatime(public program on hackerone platform)

This blog is about a vulnerability that I found in a program on hackerone i.e. Wakatime.It is a platform for developers and has an active bug bounty program on hackerone.

I decided to write a blogpost on this bug because I think this test case I used in finding the vulnerability can help a lot of hunters.

So, first I started by creating two accounts on their platform using two different email id’s.On their platform they have this functionality of private Leaderboard where you can see your rankings as a developer.

So, basically being an owner you can have multiple members under your team as well.One thing that popped in my mind is that lets check for access control of member?Let’s try to find out whether a member can control the owner or not ?

Image for post
Image for post
Photo by Mathew Schwartz on Unsplash

When I created a private leaderboard named test1 in my account then in the next step I sent invitation to ,I accepted the request to join as a member and finally I visited the members section of the leaderboard through my account (owner account). — — → Owner — — →Member

Image for post
Image for post
Private Leaderboard before swapping

Using my Owner account privileges for Anonymous user(referring to email id pig.wig45…) I swapped the roles of both tikoo(referring to email id sahil9619….) and Anonymous but the important thing to mention here is that I made the changes in a new tab (as you can see in the image I have two test1 leaderboard tabs opened in browser).

Have a look at the below image:

Image for post
Image for post
Private leaderboard after swapping

Once I successfully did that, now : — — → Member — — →Owner

Now, I was having two private leaderboard pages open in which one member was owner in the other page and vice versa.In the first image POC where Anonymous(pig.wig45@…) was owner I tried to change the name of User tikoo(sahil9619…) to “testing” I got a Forbidden Error because in the second POC image Anonymous was no longer having owner privileges(look at the second image).

Forbidden Error:

Image for post
Image for post
Forbidden error on trying to change name of new owner

But this was all a big hoax, :-) look what happened when I tried to change the name again after the forbidden message popped up :-

Image for post
Image for post
Name of owner changed

As you can clearly see that even though I got a forbidden error but still I was able to manipulate the name of the owner of a private leaderboard using member’s privileges.

If u have any doubts just ping me on twitter


Till next time — -> Happy Hacking :-)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store