Posts

How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

Image
Summary:This blog post is about an Insecure direct object reference vulnerability on Twitter which could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim's tweets, view private media uploaded by other twitter accounts etc. All endpoints on studio.twitter.com were vulnerable.

Description:Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.

Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So i started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named "owner_id" which was twitter user id(publicly available and sequential) of th…

How anyone could have used Uber to ride for free!

Image
Note: This is being published with the permission of Uber under the responsible disclosure policy. The vulnerability was fixed in August 2016.Summary:This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account.

Description:Uber Technologies Inc. is an online transportation network company headquartered in San Francisco, California, with operations in 528 cities worldwide. Users can create their account on Uber.com and can start riding. When a ride is completed a user can either pay cash or charge it to their credit/debit card.
But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free.

For demonstrating the bug, i took permission from Uber Team and took free rides in United States and India and i wasn't charged from any of my payment methods. 

Vulnerable request:POST /api/dial/v2/requests HTTP/1.1 Host: d…

[Responsible disclosure] How I could have hacked all Facebook accounts

Image
Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.Summary:This post is about a simple vulnerability found on Facebook which could have been used to hack into other user's Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability. Description:Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit co…

[Responsible disclosure] How I could have removed all your Facebook notes

Image
Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.Summary:This blog post is about an Insecure direct object reference vulnerability in Facebook Notes using which attacker could have removed all your notes just by replacing his Note id with yours in note editing request. 


About Facebook Notes:Facebook Notes are ways of writing entries about your life, your thoughts, or your all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so that they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.


Vulnerability description: Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypa…

[Responsible disclosure] How I could have hacked 62.5 million Zomato Users

Image
Note: This is being published with the permission of Zomato Team. The vulnerability is now fixed. Zomatois an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife for various cities ofIndiaand 21 other countries. It has 62.5 million registered users. While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.
Below are the technical details of the vulnerability:
Description:
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result…

[Responsible disclosure] Hacking Facebook.com/thanks Posting on behalf of your friends!

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends. 
To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.

So, I started digging up as soon as "Say Thanks" was launched.

Below are the few things that I tried :

1) Posting on the behalf of non-Facebook friend.
2) Posting on the behalf of a Facebook friend.

Interestingly, posting on behalf of your Facebook friends worked.
After the successful exploitation a video w…