A business Logic issue worth $1500

Hello everyone,

Its me Mohsin khan AKA tabaahi_.Today I would like to talk about one of my recent findings.

It was a private bug crowd program. The issue is resolved now. But I don’t have permission from the program so will call it redirect.com.

The program has a website, android, IOS app, and desktop app in the scope. Started with a Web application, and I found the block device option.

After reading docs (related to block devices) I understand User can log in to his/her account in android, IOS apps, and desktop apps. And devices will show on the device option.

If I click on the blocked device the account of the user will log out from the device, and the User will not be able to login to the application (on the blocked device) until I unblock the device.

So I installed android, IOS app, and desktop app. And login to the application. I notice IOS app and desktop app working fine. But when I blocked the android application login, The user is still logged in. Security implementation for the android app is not working properly.

I reported to them

There are so many programs that allow block device features. Go and try now :)

Thank you for reading! And don’t forget to follow me on Twitter.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store