Hello guys ,
Some time ago, i wanted to write my first write-up about bug bounties, but the lack of time (work and family) i never found the moment, but the other day talking with @saamux encouraged me to do it. So let’s go !!!
I’ll share with you an interesting bug i’ve found in a private program of HackerOne, some months ago.
It was Friday and i was ready to take a nap, after a hard day of work, before that, i took my mobile and started browsing through one of the program’s endpoints (redacted.com), when suddenly I saw that the url changed to m.redacted.com.
I hadn’t seen that endpoint before, it seemed new, so I started to take a look.
I started surfing the website and capturing traffic with Burp … there were no tokens to avoid csrf attacks so it looked good.. my next step was try to create an account on the website but I needed a Chinese phone number (there was no option to register with an email)..First Problem !!
To register on the website you need a Chinese mobile phone, they will send you an OTP (one-time password), so you can register on their website.
I used different websites that give you a mobile number from any country to recieve sms… many didn’t work, most didn’t operate in China and those that gave you a Chinese mobile phone number did not receive SMS, only calls.. Second Problem !!
I spent some days trying to find a website that could give me that service, i had a feeling that I could find something in that endpoint, but I couldn’t verify it.
I tried to do a brute force attack, to see if I could guess the OTP and register on the page, but I didn’t know the length of the OTP (normally it’s 4 or 6 digits). I tried brute-force but it didn’t let me test more than 5 OTP.
At the end, i found a payment page that gave you a Chinese phone number to receive the OTP.
You had to select for what service you wanted it, so the famous OTP would arrive, but logically the company that was testing wasn’t on that list.
So I sent them an email, explaining the problem … The days passed but I didn’t get an answer.. Suddenly, one morning I received an email that had already added the company.
My next step was register an account on the website, I got the famous OTP (6 digits length), so finally I could create an account on the endpoint m.redated.com… GREAT !!!
The first thing i noticed, was that certain functions were vulnerable to CSRF, but my idea was if I could find something more critical on this endpoint.
The first thing that came to my mind, was to check Forget Password Functionality, you had to enter the mobile number and the server will send you a 6-digit OTP, if the OTP is correct you could change the password.
So, i checked if there was any difference when you sent the OTP correct and incorrect. When i sent an incorrect OTP i got from the server this message:
Sorry…what is “\u9a8c\u8bc1\u7801\u65e0\u6548" ? After a small research i discovered that it was Unicode Entities, so i try to decode it, i found this website http://online-toolz.com/
Next, i used google translate (sorry i don’t speak Chinese) ;-)
Ok, nothing special or weird, but what happens when we introduce the correct OTP ?
My chinese mobil number was 17088016446, so my next step was use Password Reset Functionality again, in this case i sent the pin 111111 (that wasn’t right) and intercept the request from server, when the server sent the request that is failed, i deleted the request and inserted the following data:
I was be able to reset the password !!!!!!!!!!!!! Bingo !!!!
At this point, I just had to know the mobile number and could change their password. Simply using the Reset Password Functionality and inserted a mobile number, the website told me if that number exists or not in the database, after that, sent any OTP, intercept the request from the server, deleted the request and insert the following data:
GAME OVER !!!!
I had found my first Full Account Takeover …..
I reported it immediately, and they fixed it and rewarded over the weekend.
This was all about this finding… i hope you like it !!