How to hack an online lunch delivery website or how I was having free lunches for a week.

Narek Harutyunyan
Jan 11, 2018 · 3 min read

Hi there. I want to share my latest experience hacking an online lunch delivery website for specific offices. I didn’t do any harm, just got some free lunches :)).

So let me introduce what the website was for. A person(e.g Mike) from a specific office could register with a ‘unique’ email(e.g. Mike@someOffice.com) and order some food, which would be delivered to the ‘someOffice’.

One day when the fries i ordered were really awful, I decided to do a quick security audit on their website. It took just minutes to find the tricky bug.

The main issue was that the email was not as ‘unique’ as they’d expect. Once you try to register with ` Mike@someOffice.com`, `+Mike@someOffice.com` or something like these, a new user is created. Why?

I assume, In the back-end, they did something like this

What I can send from Front-End is:

Bad Email From Front-End

This is why a new fake user will be created and the thing is that most mailing services, including Gmail, ignore space, + chars and send email to the right person.

So what? Surely, Mike will get an email and what does the email say?

Please confirm your email and some link to click (no word about registration which is wrong)

I am pretty sure 80% of people would click the link, well, some of my colleagues did. So I could get the control of a lot of fake profiles. It’s very easy to get the list of all emails with brute force attacks as the website had user enumeration vulnerability, that means when the email is wrong it says `wrong email`, when the email is right and only the password is incorrect, it says `wrong password`. The message should be always general, something like `wrong email or password` and also you have to make sure the response time from back-end is the same in both of these cases because the attacker can easily guess which one is incorrect(usually when only password is incorrect it takes more time because of password hashing). I would just need the company website addresses(e.g. someOffice.com) and I will try 1.000.000 of most popular names in my country with a simple script:) That would take just minutes to guess a lot of emails. Or I just can visit the company website and find the staff information there… Anyway, I like the first version more. :))

And finally, how should I log in? A usual HTML email input ignores spaces just like email services and sanitizes the strings, I just had to change the input type to text from inspect element so that I could send the email with spaces or whatever to back-end and login successfully with the newly made fake account. Tadaaaa!!

I think the email uniqueness issue appears to be in many websites. SO pay attention to the issue.

That’s it for today… The article is only for educational purposes, so don’t try this at home… Always test your code for security bugs :)

Codeep.io

Web, Mobile, Cyber Security, AI

Narek Harutyunyan

Written by

Serial entrepreneur, Software Engineer passionate about cyber security, Codeep.io.

Codeep.io

Codeep.io

Web, Mobile, Cyber Security, AI

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade