by harshjaiswal · Released March 27, 2016 · Upgraded April 12, 2016
Badoo Levels Takeover – Bug Bounty POC
Observe that the article is created by rough Jaiswalas & any blunder on paper is captivated merely from your We let you to write materials on all of our blog site as a guest/contributor so additional may learn.If you’re interested in revealing your getting through Bug Bounty POC system merely signup on blog site and you may posting easily.
Many thanks Bharat & Behroz because of this awesome system I’m newbie, soon i ll display my some other 2 FB dilemmas complete well worth 3000$
Hey folks online ! Today i wanna express my personal researching of Badoo that i’m able to takeover anyone membership just by offering him/her a poisionous hyperlink
Badoo is a dating-focused social networking provider, established in 2006[4]and head office in Soho, London. This site functions in 180 countries and it is most widely used in Latin The usa, Spain, Italy and France. Badoo ranks due to the fact 281st best website in this field, according to Alexa net as of April 2014. The website functions on a freemiummodel. To achieve higher characteristics, a user pays a fee or allow Badoo to e-mail all his/her friends.
Lets beginning
Firstly i want to thank my good friend Rudra which usually inspire me personally the guy given me personally an easy link and I also got away a merchant account takeover from it
The insect was really simple, it truly does work on a CSRF & A token missconfiguration. And simply legitimate for
Whenever we import photos from Facebook or Instagram they do not have any anti-CSRF token, the Twitter token which generated via Badoo was legitimate for everyuser. Now i can offer a link to a person of my personal fb levels to import pictures, if consumer will push on ok after that photograph are going to be brought in to their membership.
But how I acquired an takeover right here ?
The one thing i noticed that the web link produced can replace the user FB connected levels with attacker’s FB accounts while the best benefit was actually user simply need to go to website http://www.datingmentor.org/pl/little-people-meet-recenzja/ link no cancel or ok pressing requisite.
Now an assailant can login via FB and completely takeover the accounts and that can access all his speak, exclusive images and anything
The insect is patched within 2 times of intial document. Benefit ($850) ended up being quite much less from my personal hope .
Tips to replicate ended up being :-
1 -Create two Badoo accounts attacker & target and hyperlink 2 diff fb levels in each
2- Login as ‘attacker’ and go to transfer pictures via fb and copy the hyperlink from URL bar
3- today login as ‘victim’ in diffrent internet browser and opened the link and click cancel.
4- FB membership of ‘victim’ was replaced with FB accounts of ‘attacker’ (taken out of ‘attacker’ one)
5-Login via attacker’s FB account and you will certainly be logged in as ‘victim’ profile
Congo u merely hacked sufferer membership
Extra description
Suppose a user bring an account of assailant ‘A’ with FB linked which ‘FB-of-A’ and a prey membership ‘B’ with fb linked which can be ‘FB-of-B’ today attacker generate a web link to transfer photos from his fb and provide they to victim ‘B’ the guy starts it and newspapers cancel but this posses changed their FB profile ‘FB-of-B’ to attacker’s FB profile ‘FB-of-A’, and then attacker can login together with fb accounts in victim’s badoo fund.
I will talk with my victim on Badoo and certainly will have actually hacked his/her membership in 5 minutes
Bug Schedule
09 March : Reported 10 March : Bounty treated 850 USD 11 March : Bug patched