IDOR via Websockets allow me to takeover any users account

Hi everyone I hope you all are doing great and scoring lots of bounties. I am Mohsin khan I am from India and I do bug bounty full time for 1 year now. I found lots of bugs in the last year.

Today I am sharing one of my finding which allows me to take over all users account. It was out of scope domain bug but they paid me a bounty ❤. Without further ado let’s start.

It was a private program and I don’t have permission to disclose any information about the target so let’s call it example.com. Let me give you a basic idea about functionality of a program.

It is an online meeting platform where you can create your team. You can invite users, you can follow users and you can permit users like admin, normal user, etc.

Now I start the burp suite and started checking how to change the name, email functionality works. I found that there is an X-token header. It was a JWT token and as you know if the JWT token is there It means it is almost impossible to find CSRF. At least on this website. I tried to remove the token and tried to change information but nothing work website gave me 401.

I don’t know much about bug classes mostly I only hack on login, save info, signup. so Now I create another account but this time I am checking every request and response. Like how signup is working & responses.

I found that when you click on signup after POST request one WebSocket request is sent which contains UUID and email, username, etc. I tried to change the UUID to my first account (Account A)UUID and I got an error.

Email already exists.

I was like

Now I understand why the website giving me an Email exist error. because user B’s account is now already created and I can’t use the same email. Now I change UUID to my account A UUID and change email and now I got no response but when I go to my first account (account A) and reload the page I logged out.

I immediately try to login again (with account A email) but I got an error. (After changing the email, the website logout the user to log in again. We can confirm we changed account A email successfully. As you know I already know account A password. but we can request a password reset link because now we control account A) now I understood and I try to login with a new email, and Now I have logged in to user A account successfully.

Team: How you manage to find UUID?

As I told you before it was an online meeting platform. By going to the user’s profile and clicking on the following user button you can grep users UUID easily.

It was P2 but I rewarded P3 bounty. Because it was out of scope domain.

But when triager make your Critical to P3

Takeaway:

  1. Always play with login, signup, and change info functionality. There is always something for you

Resources

Tip for beginner

When I started after few months I started doing collaborations. It helps me to learn a lot. Most of the time I hack with my friends, If you want to collaborate you can dm me on Twitter. There is the platform called findhunters

You can collab with lots of hackers and learn a lot together. Go checkout findhunters. ❤

I hope you enjoy reading. If you have any questions feel free to ask me on Twitter https://twitter.com/mokhansec .

powerful people make places powerful

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store