by harshjaiswal · Released March 27, 2016 · Updated April 12, 2016
Badoo Profile Takeover – Bug Bounty POC
Remember that the article is written by Harsh Jaiswalas & any error written down are captivated just from him We let you to create information on our weblog as a guest/contributor so some other can also learn.If you’re interested in discussing the finding through Bug Bounty POC program just signup on blogs and publish freely.
Thanks a Controleer deze site lot Bharat & Behroz with this awesome platform I’m newbie, eventually i ll display my different 2 FB problem Total value 3000$
Hey everybody else on the market ! Nowadays i want to express my acquiring of Badoo from where i’m able to takeover people account by just giving him/her a poisionous hyperlink
Badoo are a dating-focused social media solution, founded in 2006[4]and head office in Soho, London. This site works in 180 countries and it is most widely used in Latin The usa, Spain, Italy and France. Badoo positions because 281st most widely used website in the arena, based on Alexa websites as of April 2014. Your website runs on a freemiummodel. To increase further functions, a person can pay a charge or allow Badoo to email all their family.
Let us beginning
First of all i want to give thanks to my pal Rudra who usually convince myself He given myself a straightforward link and I also got completely a free account takeover from it
The insect was really easy, it truly does work on a CSRF & A token missconfiguration. And just good for
As soon as we transfer photo from Facebook or Instagram it don’t have any anti-CSRF token, the Facebook token which created via Badoo was good for everyuser. Today i’m able to promote a web link to a person of my personal fb membership to transfer pictures, if consumer will push okay subsequently photograph can be brought in to his profile.
But how I obtained an takeover here ?
The fact i noticed that the web link produced can be exchange the consumer FB connected account with attacker’s FB levels together with best benefit was user should just head to back link no terminate or okay pressing required.
Now an opponent can login via FB and completely takeover the account and that can access all their speak, personal photographs and every thing
The bug are patched within 2 days of intial report. Incentive ($850) ended up being very less from my expectation .
Actions to replicate had been :-
1 -Create two Badoo accounts assailant & target and connect 2 diff fb account in all of them
2- Login as ‘attacker’ and check-out transfer photos via fb and copy the link from URL club
3- Now login as ‘victim’ in diffrent browser and open the web link and click terminate.
4- FB accounts of ‘victim’ try substituted for FB accounts of ‘attacker’ (taken from ‘attacker’ one)
5-Login via attacker’s FB accounts and you’ll be signed in as ‘victim’ profile
Congo u simply hacked sufferer account
Most reason
Suppose a user have actually an account of attacker ‘A’ with FB linked which ‘FB-of-A’ and a victim levels ‘B’ with fb connected that is ‘FB-of-B’ now attacker create a web link to import pictures from his fb and provide it to victim ‘B’ the guy opens it and push terminate but this have altered their FB accounts ‘FB-of-B’ to attacker’s FB levels ‘FB-of-A’, and from now on attacker can login together with his fb levels in victim’s badoo fund.
I am able to speak to my personal sufferer on Badoo and certainly will has hacked his or her membership in five full minutes
Insect Timeline
09 March : Reported 10 March : Bounty Rewarded 850 USD 11 March : insect patched