Continuing on my work in Yahoo’s bug bounty program, another app i tested was: Luminate Developer app. In this application, I can create apps that website admins can install to their store from Luminate app store. App makers can also use this app to see the statics of their apps: who installed it (emails and website of the admins).
When I started testing, I noticed that to retrieve the statics of the app, a certain JSON request was made. It was a GET request that would request the statistics based on the app token. This was the url that would retrieve the JSON file:
First, I created two different accounts (account A and account B) and created two apps (app 1 and app 2) to test out the IDOR. At first, when putting app token, from another account no error was thrown. After that, I decided to use my second account (account B) and installed that app (account 2) to a test commercial center account. Once the installation was done, we could test the IDOR and when we browsed to the link with account A, it successfully showed the installed statistics (cannot post pic here for privacy reasons).
Next issue was to get the app token. For my test run, I already had the app token. How would an attacker get an app token of a well known app in Luminate?
To test this, I went to Luminate’s commercial central and installed an app. During installation, it was noted that when I browsed the installation page, it would use the following request:
GET /admin/apps/live/settings/[appname]?store_url=[store_url]&pid=YS.×tamp=1502936968&proxy_app=1&token=[token]&app_token=[app_token]&email=[user_email]&p=YS&id=[id]&signature=asdasd84949823asfasd HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept-Encoding: gzip, deflate, br
So now, we could grab the `app_token` from the url, and paste that to the JSON request. This would give list of all users who installed that app in their page.
Shoutout to Yahoo once again. :) I am looking forward to finding more bugs on their platform again.
uranium238 / Rojan Rijal
Originally published at medium.com on August 30, 2017 from my alternate account. Added here to make a collection of all my blogs.