#BugBounty — How I was able to read chat of users in an Indian Online travel portal
While doing my usual bug hunting, I came across an interesting IDOR vulnerability that could aid me to read the complete chat of the users with the customer support team of an Online Travel company.
While browsing through a company’s website, I found an online chat forum, that allows customer to chat online with the support team to query about one’s bookings,payments, refund etc. that tricked me to extract user’s sensitive data :) . The first thing that hit my mind was “how can I read other users’ chat” and so I started the hunt. When triggering the online chat functionality, it fires up the following HTTP request —
and the response of the above request was the conversation messages exchanged during the chat —
The values marked in yellow (in chat request pic) were something which I have to play with. While traversing more,I realized that the first value i.e hari013903158 was the customer id and the second value FL-132756 comes out to be the chat id which on further analysis found to be incremental. Now I knew what to do :D .
But there was one hurdle “How to find the valid customer id” which in this case was an 13 digit long alpha numeric id. I went back to the login page, profile section to see if it can help but nothing was helping me out. Then comes “blog section” in rescue — Traveller’s blog page where people share their traveling stories . I opened one blog to read (not for reading ;) ) which was published by one user and it was as simple as this, I could see the user id in the URL itself. Pheww! Something to cheer about! Now I copied that user id, replaced it in the “chat request” , bruteforced using burp tool for the chat id and…. still I was not able to get anything. May be that user never had an online chat with the support team. :/ . Race was still not complete so I opened 10–20 more blogs ,did the same and below is the request-response with one particular user id . ☺
I was able to access the entire chat history of that user.
Report details -
09-Nov-2017 — Bug Reported to the concerned company.
29-Nov-2017 — Bug was marked fixed.
30- Nov-2017 — Re-tested and confirmed the fix.
21- Dec- 2017 —Awarded with reward and hall of fame .
This was all about this interesting finding. ☺