Hello and welcome again, today i want to share with you the story of how i found a quite simple bug in under 45 minutes this bug was there for a long time and was missed by top hunters on a public program with 100+ resolved reports. This is why you should NEVER trust status codes.
It was late and i was not that motivated so i went checking new programs and saw this one program that looked promessing it had simple functionalities nothing fancy, perfect for a light hunting session. The app looked pretty straightforward users can interact with other accounts posting comments and rating stuff.
Anyways once i created an account i immediatly went to check my profile to understand how the app works and answer pretty basic questions like:
- Does the app fetch information from an api and where is it located (a subdomain, a path on root domain)?
- What kind of authentication is in place and how does it work?
- Is there any id to identify current user?
- Is this id being disclosed anywhere publicly?
Started to get an idea of the app and then refeshed the page but this time i kept the proxy on and manually forwarded all the requests and this is where i noticed something interesting, in the app you can link your facebook account, the connect button was loaded seperatly inside an iframe the request however is what cought my eye it was a get request that looked like this
No signature no hash :D
The response contained the facebook redirect link all with the necessary information to start the oauth flow including the account id so i immediatly went and created a new account and started playing with the two accounts the idea was if i can control the iframe response it maybe possible to takeover the account.
Grabbed the id from account A then went to account B modified the iframe request and forwarded the request then cliqued on connect facebook button on account B all went as planned but after the redirect from facebook i got error 403 refreshed the page on both accounts and the button still showed up but then i had an idea lets logout from account A and click connect with facebook and sure enough i was inside account A with the facebook of account B so i took over the account without the user being notified he didn’t even know he had facebook connected because the button kept showing up.
The id is not a secret i could get it by simply visiting victim’s profile, to make matters worse even if the victim had their facebook connected you can overwrite it using this method.
This is not the first time i get an error and end up finding that the attack worked you should always double check.