Vine User’s Private information disclosure

Hello readers,

This is Prial Islam a security researcher from Bangladesh . This is a old finding of mine adding into my blog .

Today I will write about a Critical IDOR vulnerability that will lead to Information Disclosure what allowed me to get any Vine user’s sensitive information including Ip address/phone no/email .

I reported this bug to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 7560$ for this report .

$$$$ + Blog post permission 😾 😇

Vine has issued a statement regarding this vulnerability on their Vine blog Post here and also Hackerone mentioned this vulnerability in hackerone Zerodaily Newslatter .

  • Vulnerable Endpoint :-<User Id>

When I was testing vine domains for something interesting . I noticed the Endpoint what response was giving my account all information . I thought this is normal as many site have this type of endpoint what shows logined users information . So again I thought let’s try to exploit this with CORS if it is miss-configured . But CORS Policy was in place . Then I changed the user-id value to a random number and I got shocked that someone else user information was in front of me . By changing the user-id value I was able to get any vine user all information .

Reproduce :

  • Choose any user to get his all information and collect his User-ID
  • Now place the User-ID in below endpoint and visit it . You will get Response in body .<User Id>

Response :

{“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}

Take a closer look in response and you will get a lot of private info about the user [ all information was removed by twitter security as those belongs to other users ]. Some of them are :

“platforms”: [“android”, “ios”]
 “flaggedCount”: 7579
 “twitterId”: “█████████”
 “phoneNumber”: “█████”
 “location”: “Los Angeles California”
 “modified”: “2017–01–29T01:24:00.000000”
 “notificationsLastViewed”: “2016–04–26T21:03:35.000000”
 “email”: “█████████”
 “created”: “2013–04–13T19:30:31.000000”
 “lastLogin”: “2016–12–13T23:29:40.000000”
 “ipAddress”: “█████”

Here Even ipAddress/email/phone no are being disclosed . So attacker can use these info and do malicious attacks on any vine user . And Attacker can dump all user information .

This will also effect twitter users as vine users can use their twitter account access to login vine services . I have got the same vulnerability on another bug bounty program Edmodo’s website .

Thanks for reading . Happy Hunting .