This blog is about a vulnerability that I found in a program on hackerone i.e. Wakatime.It is a platform for developers and has an active bug bounty program on hackerone.
I decided to write a blogpost on this bug because I think this test case I used in finding the vulnerability can help a lot of hunters.
So, first I started by creating two accounts on their platform using two different email id’s.On their platform they have this functionality of private Leaderboard where you can see your rankings as a developer.
So, basically being an owner you can have multiple members under your team as well.One thing that popped in my mind is that lets check for access control of member?Let’s try to find out whether a member can control the owner or not ?
When I created a private leaderboard named test1 in my account firstname.lastname@example.org then in the next step I sent invitation to email@example.com ,I accepted the request to join as a member and finally I visited the members section of the leaderboard through my firstname.lastname@example.org account (owner account).
email@example.com — — → Owner
firstname.lastname@example.org — — →Member
Using my Owner account privileges for Anonymous user(referring to email id pig.wig45…) I swapped the roles of both tikoo(referring to email id sahil9619….) and Anonymous but the important thing to mention here is that I made the changes in a new tab (as you can see in the image I have two test1 leaderboard tabs opened in browser).
Have a look at the below image:
Once I successfully did that, now :
email@example.com — — → Member
firstname.lastname@example.org — — →Owner
Now, I was having two private leaderboard pages open in which one member was owner in the other page and vice versa.In the first image POC where Anonymous(pig.wig45@…) was owner I tried to change the name of User tikoo(sahil9619…) to “testing” I got a Forbidden Error because in the second POC image Anonymous was no longer having owner privileges(look at the second image).
But this was all a big hoax, :-) look what happened when I tried to change the name again after the forbidden message popped up :-
As you can clearly see that even though I got a forbidden error but still I was able to manipulate the name of the owner of a private leaderboard using member’s privileges.
If u have any doubts just ping me on twitter
Till next time — -> Happy Hacking :-)