Posts

Showing posts from 2017

How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

Image
Summary:This blog post is about an Insecure direct object reference vulnerability on Twitter which could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim's tweets, view private media uploaded by other twitter accounts etc. All endpoints on studio.twitter.com were vulnerable.

Description:Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.

Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So i started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named "owner_id" which was twitter user id(publicly available and sequential) of th…

How anyone could have used Uber to ride for free!

Image
Note: This is being published with the permission of Uber under the responsible disclosure policy. The vulnerability was fixed in August 2016.Summary:This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account.

Description:Uber Technologies Inc. is an online transportation network company headquartered in San Francisco, California, with operations in 528 cities worldwide. Users can create their account on Uber.com and can start riding. When a ride is completed a user can either pay cash or charge it to their credit/debit card.
But, by specifying an invalid payment method for example: abc, xyz etc, I could ride Uber for free.

For demonstrating the bug, i took permission from Uber Team and took free rides in United States and India and i wasn't charged from any of my payment methods. 

Vulnerable request:POST /api/dial/v2/requests HTTP/1.1 Host: d…