Using this vulnerability he was able to read all the support conversations between the users and the team. By using Parameter manipulation . This articles have been taken from http://ift.tt/2el0uw6 by the permission of author. Source Link.
I have been invited to a private program for a while now, but like most times, i focus majorly on programs i like and that pay accordingly. So there came this boring Monday morning and i just mistakenly found the invitation. Then i decided to give it a shot.
I registered on the site as usual and started looking for vulnerabilities, after much hassle i couldn’t set up webhook because of one or two reasons, so i decided to do a live chat with a support team to ask for help. As usual, my interception proxy was ON, after the live chat i still couldn’t find a bug, then i decided to go through the intercepted request and that’s when i came across a GET request made to the http://endpoint:/api/v1/chats/%5Bchat_id%5D/messages.json?include=*&token= (request 1)
When i saw the request i was like WOW! and the first thing that came to my mind was accessing other users chat. But as usual the token parameter was checked and it will alway return an error when i tried to tamper with it or remove it totally. The error is similar to the one below:
“message”: “This action requires the field to be specified”,
After a lot of fuzzing and tweaking of the request, no luck. But when i was about to give up. i noticed another POST request to /api/v1/chats/[message_id] (request 2)
Then comparing the two request together, i changed the request to/api/v1/chats/[chat_id]/messages/[message_id]. The result was the message that was assigned thatmessage id.
My reaction was:
Increasing the message_id will fetch the message and the correct chat_id, i immediately reported the vulnerability. Moving forward, i started enumerating messages to see if there is anything a malicious attacker can gain apart from reading annoying users complain, then i found a message with Login Credentials, at this point i was like:
I commented on my report to the company with the additional details. So with this bug i was able to read all chats messages between support staff and customers, enumerate both parties chatting, view sensitive information shared e.t.c
The company actually fixed this bug in less than 20minutes and pushed the fix live. The next day i was awarded $$$$
29-08-2016: Bug Reported
29-08-2016: Report Triaged
29-08-2016: Fix Confirmed
29-08-2016: Bug Resolved
30-08-2016: $$$$ Bounty awarded.
As usual feedback are always welcome, use the comment section!