#BugBounty — How I was able to read chat of users in an Indian Online travel portal

Hi Guys,

While doing my usual bug hunting, I came across an interesting IDOR vulnerability that could aid me to read the complete chat of the users with the customer support team of an Online Travel company.

While browsing through a company’s website, I found an online chat forum, that allows customer to chat online with the support team to query about one’s bookings,payments, refund etc. that tricked me to extract user’s sensitive data :) . The first thing that hit my mind was “how can I read other users’ chat” and so I started the hunt. When triggering the online chat functionality, it fires up the following HTTP request —

Chat Request

and the response of the above request was the conversation messages exchanged during the chat —

Chat Response

The values marked in yellow (in chat request pic) were something which I have to play with. While traversing more,I realized that the first value i.e hari013903158 was the customer id and the second value FL-132756 comes out to be the chat id which on further analysis found to be incremental. Now I knew what to do :D .

But there was one hurdle “How to find the valid customer id” which in this case was an 13 digit long alpha numeric id. I went back to the login page, profile section to see if it can help but nothing was helping me out. Then comes “blog section” in rescue — Traveller’s blog page where people share their traveling stories . I opened one blog to read (not for reading ;) ) which was published by one user and it was as simple as this, I could see the user id in the URL itself. Pheww! Something to cheer about! Now I copied that user id, replaced it in the “chat request” , bruteforced using burp tool for the chat id and…. still I was not able to get anything. May be that user never had an online chat with the support team. :/ . Race was still not complete so I opened 10–20 more blogs ,did the same and below is the request-response with one particular user id . ☺

User’s Chat History

I was able to access the entire chat history of that user.

Report details -

09-Nov-2017 — Bug Reported to the concerned company.

29-Nov-2017 — Bug was marked fixed.

30- Nov-2017 — Re-tested and confirmed the fix.

21- Dec- 2017 —Awarded with reward and hall of fame .

This was all about this interesting finding. ☺

Thanks!

~Logicbomb (https://twitter.com/logicbomb_1)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store