Account takeover using IDOR and the misleading case of error 403.

Plenum
Plenum
Jun 11, 2019 · 3 min read

Hello and welcome again, today i want to share with you the story of how i found a quite simple bug in under 45 minutes this bug was there for a long time and was missed by top hunters on a public program with 100+ resolved reports. This is why you should NEVER trust status codes.

Image for post
Image for post

It was late and i was not that motivated so i went checking new programs and saw this one program that looked promessing it had simple functionalities nothing fancy, perfect for a light hunting session. The app looked pretty straightforward users can interact with other accounts posting comments and rating stuff.

Anyways once i created an account i immediatly went to check my profile to understand how the app works and answer pretty basic questions like:

  • Does the app fetch information from an api and where is it located (a subdomain, a path on root domain)?
  • What kind of authentication is in place and how does it work?
  • Is there any id to identify current user?
  • Is this id being disclosed anywhere publicly?

Started to get an idea of the app and then refeshed the page but this time i kept the proxy on and manually forwarded all the requests and this is where i noticed something interesting, in the app you can link your facebook account, the connect button was loaded seperatly inside an iframe the request however is what cought my eye it was a get request that looked like this

https://www.redacted.com/connect/facebook_login?id=[ID]&token=[TOKEN]

No signature no hash :D

The response contained the facebook redirect link all with the necessary information to start the oauth flow including the account id so i immediatly went and created a new account and started playing with the two accounts the idea was if i can control the iframe response it maybe possible to takeover the account.

Grabbed the id from account A then went to account B modified the iframe request and forwarded the request then cliqued on connect facebook button on account B all went as planned but after the redirect from facebook i got error 403 refreshed the page on both accounts and the button still showed up but then i had an idea lets logout from account A and click connect with facebook and sure enough i was inside account A with the facebook of account B so i took over the account without the user being notified he didn’t even know he had facebook connected because the button kept showing up.

The id is not a secret i could get it by simply visiting victim’s profile, to make matters worse even if the victim had their facebook connected you can overwrite it using this method.

This is not the first time i get an error and end up finding that the attack worked you should always double check.

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Plenum

Written by

Plenum

InfoSec Write-ups
Plenum

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store