How to hack an online lunch delivery website or how I was having free lunches for a week.
Hi there. I want to share my latest experience hacking an online lunch delivery website for specific offices. I didn’t do any harm, just got some free lunches :)).
So let me introduce what the website was for. A person(e.g Mike) from a specific office could register with a ‘unique’ email(e.g. Mike@someOffice.com) and order some food, which would be delivered to the ‘someOffice’.
One day when the fries i ordered were really awful, I decided to do a quick security audit on their website. It took just minutes to find the tricky bug.
The main issue was that the email was not as ‘unique’ as they’d expect. Once you try to register with ` Mike@someOffice.com`, `+Mike@someOffice.com` or something like these, a new user is created. Why?
I assume, In the back-end, they did something like this
What I can send from Front-End is:
This is why a new fake user will be created and the thing is that most mailing services, including Gmail, ignore space, + chars and send email to the right person.
So what? Surely, Mike will get an email and what does the email say?
Please confirm your email and some link to click (no word about registration which is wrong)
I am pretty sure 80% of people would click the link, well, some of my colleagues did. So I could get the control of a lot of fake profiles. It’s very easy to get the list of all emails with brute force attacks as the website had user enumeration vulnerability, that means when the email is wrong it says `wrong email`, when the email is right and only the password is incorrect, it says `wrong password`. The message should be always general, something like `wrong email or password` and also you have to make sure the response time from back-end is the same in both of these cases because the attacker can easily guess which one is incorrect(usually when only password is incorrect it takes more time because of password hashing). I would just need the company website addresses(e.g. someOffice.com) and I will try 1.000.000 of most popular names in my country with a simple script:) That would take just minutes to guess a lot of emails. Or I just can visit the company website and find the staff information there… Anyway, I like the first version more. :))
And finally, how should I log in? A usual HTML email input ignores spaces just like email services and sanitizes the strings, I just had to change the input type to text from inspect element so that I could send the email with spaces or whatever to back-end and login successfully with the newly made fake account. Tadaaaa!!
I think the email uniqueness issue appears to be in many websites. SO pay attention to the issue.
That’s it for today… The article is only for educational purposes, so don’t try this at home… Always test your code for security bugs :)