HOW I GOT ACCESS TO 22+Million Users?

June 27, 2018

HOW I GOT ACCESS TO 22+Million Users?

IDOR THAT BROUGHT TEARS INTO MY EYES!!!

Hello Guys!!!, Hope so you all are doing great and was happy to see many people these days are taking interest in the Info-Sec Community and we have many hackies who are serving digital community to make it more secure and more Hack-Proof. So, Welcome to MultiVerse Blog where we love penetration testing more than kids love Cartoon-Network. In this particular Post , i will try my best to keep everything simple as much as i can and i will try to show you some AMAZING things and will try to change your perspective towards the Bug IDOR(I Love IDOR Bugs, 1st:Reason:Cost is good , 2nd:Reason:If you have good Eye Sight, you can easily catch them , 3rd:Reason:Gives me Inner Peace to find IDORs

So, This time let's start with what really happened between these few months(From Last Bog Post to Today's Post), Last Bug paid me very well to enjoy these 5 months but as i was getting Sh*tload of real-life issues and need to spend time to fix myself up , i was thinking to get a Big time hit on any bounty that can at-least help me up for a long time. So, i started searching in many private Bug Bounty program and i was able to get none critical bug , i was able to get CSRF/token invalidation on server side , even got bug related to headers but didn't want to report medium/low severity bugs which i never even reported to any program because those bugs hardly would have given me $500-1000 in all total , in between these i got one CORS which i will be having another post for good clarification. But then i found my Dream site(Site which gave me Big Time), where i was able to exploit any user to it's level best. Seems like it would include social engineering right? Nope!!! All was possible via this particular IDOR. I would like to take a few secs of yours to just redefine this Bug.

Seems like a Dream come true right , Hang Tight!!! we will get into the details now and you will find it really informative to learn what can be done with a bug like IDOR. Let's Begin our journey....

So, Here is this redacted-company.com , Where i was searching for bugs like IDOR/XXE/any freakin bug that should be worth enough to find for. So i saw the structure of the site and it was a very simple site which has very less feature but 22Million+ Users. Woah!!!! Huge Right???

Yes!!! This site was having a huge DB , Turning my interest more into getting a IDOR. Actually, Let's take a pause and think about it , just imagine! 22Million Users and just one IDOR that could lead to compromise all of them , one by one... that would be really great right? Yes! it would be and it will be , just few more steps and we will be there...

So i found one IDOR and than i sent a mail to their security team and you can check the below mail snapshot , how it goes ;)

Okay!!! Let's get into technical stuff now....

You can see the below image of the website , we can see the simple structure of website with very few option for exploitation as there is very less features available....

Than i went to check if i can add some users to see if i can find any IDOR there...

So now my eye went towards the "Manage Users" , seems like will get something their :)

So i went ahead and clicked on the manage users and i got this...

I got nothing but my own user account name so i clicked on it and checked if i get any id parameter to play with in the URL...which was a total disappointment...

Nothing to do here as even in POST parameter there were not much options to alter and get IDOR and hence, I was little upset with what to do... How to get access to 22Millions Users :(

Then i saw something very usual , OHHHH!!! Did you read Usual , yes indeed!!! , so let's take a moment to remember my 3 reasons for searching for IDOR , Do you remember my 2nd reason? The reason that states we need a good eye sight to spot this BUG. So i believe i have got one heck of a strong eye-sight...

Guess what? When i took my cursor to my user account name in "manage users" , i found that there is a URL link being displayed in bottom of the browser and it has a parameter named "id" which has some integer value. Oh! We got this one...I was like...

So going forward i right clicked on my username and copied the link location ;)

Than i pasted the link location on my browser address bar and checked if hitting that URL is showing me results or it's redirecting me to some other/ERROR pages...

So i changed the "id" value and checked if it's showing me information of other users...

As you can see with manipulation in "id parameter" i was able to pull out data of other user... Upto this i was fine and than i again remembered my 2nd Reason for finding Bugs... so i saw that in Password field it's showing some hidden values and while changing the user_id , i noticed that the password characters are changing for different user_id... So do you thinking what i am thinking???