Developer Luminate IDOR

Aug 30, 2017 · 2 min read

Continuing on my work in Yahoo’s bug bounty program, another app i tested was: Luminate Developer app. In this application, I can create apps that website admins can install to their store from Luminate app store. App makers can also use this app to see the statics of their apps: who installed it (emails and website of the admins).

When I started testing, I noticed that to retrieve the statics of the app, a certain JSON request was made. It was a GET request that would request the statistics based on the app token. This was the url that would retrieve the JSON file:[apptoken]/installs.json?random=true&start=0&limit=8&_=1502762696055

First, I created two different accounts (account A and account B) and created two apps (app 1 and app 2) to test out the IDOR. At first, when putting app token, from another account no error was thrown. After that, I decided to use my second account (account B) and installed that app (account 2) to a test commercial center account. Once the installation was done, we could test the IDOR and when we browsed to the link with account A, it successfully showed the installed statistics (cannot post pic here for privacy reasons).

Next issue was to get the app token. For my test run, I already had the app token. How would an attacker get an app token of a well known app in Luminate?

To test this, I went to Luminate’s commercial central and installed an app. During installation, it was noted that when I browsed the installation page, it would use the following request:

GET /admin/apps/live/settings/[appname]?store_url=[store_url]&pid=YS.×tamp=1502936968&proxy_app=1&token=[token]&app_token=[app_token]&email=[user_email]&p=YS&id=[id]&signature=asdasd84949823asfasd HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: [redacted_cookies]
Connection: close
Upgrade-Insecure-Requests: 1

So now, we could grab the `app_token` from the url, and paste that to the JSON request. This would give list of all users who installed that app in their page.

Shoutout to Yahoo once again. :) I am looking forward to finding more bugs on their platform again.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store