by harshjaiswal · Released March 27, 2016 · Updated April 12, 2016
Badoo Account Takeover – Bug Bounty POC
Keep in mind that the article is written by rough Jaiswalas & any mistake on paper is going to be entertained just from him We enable one to compose information on our very own site as a guest/contributor so other also can learn.If you’re into revealing the acquiring through insect Bounty POC Platform just subscribe on blogs and you will publish freely.
Thanks Bharat & Behroz for this awesome program I’m novice, quickly i ll display my additional 2 FB problems complete worth 3000$
Hey everyone available to choose from ! Nowadays i want to show my receiving of Badoo that I am able to takeover any individual membership by providing him/her a poisionous back link
Badoo is actually a dating-focused social media solution, based in 2006and head office in Soho, London. This site works in 180 nations and is most well known in Latin The usa, The country of spain, Italy and France. Badoo positions once the 281st preferred websites in the arena, in accordance with Alexa websites at the time of April 2014. The website operates on a freemiummodel. To get further properties, a user can pay a fee or let Badoo to email all his or her company.
Firstly we want to thank my buddy Rudra who always inspire me He considering me personally an easy website link and I also took away an account takeover from this
The insect really was very simple, it works on a CSRF & A token missconfiguration. And just legitimate for
Once we transfer photo from Twitter or Instagram they have no any anti-CSRF token, the fb token which generated via Badoo is actually legitimate for everyuser. Today I will provide a web link to a person of my fb levels to import photos, if individual will hit ok subsequently photo can be imported to his profile.
But exactly how i got an takeover here ?
The fact i noticed that the web link generated can be replace an individual FB linked membership with attacker’s FB account and also the best benefit ended up being user just need to check out hyperlink no cancel or ok pressing expected.
Today an opponent can login via FB and fully takeover the membership might access all their chat, exclusive photographs and anything
The bug is patched within 2 days of intial report. Reward ($850) is pretty considerably from my personal expectation .
Steps to reproduce was :-
1 -Create two Badoo accounts assailant & target and link 2 diff fb accounts in each
2- Login as ‘attacker’ and check-out transfer images via fb and duplicate the hyperlink from Address club
3- today login as ‘victim’ in diffrent web browser and start the hyperlink and click cancel.
4- FB account of ‘victim’ is actually replaced with FB levels of ‘attacker’ (taken out of ‘attacker’ one)
5-Login via attacker’s FB profile and you will be logged in as ‘victim’ membership
Congo u simply hacked sufferer profile
Imagine a person bring a merchant account of assailant ‘A’ with FB connected which ‘FB-of-A’ and a prey membership ‘B’ with fb linked basically ‘FB-of-B’ now assailant write a hyperlink to import photographs from his fb and provide they to sufferer ‘B’ he opens up they and click terminate but this posses changed their FB account ‘FB-of-B’ to attacker’s FB levels ‘FB-of-A’, And now attacker can login with his fb profile in victim’s badoo fund.
I am able to speak to my personal sufferer on Badoo and that can have actually hacked his or her levels in five minutes
09 March : Reported 10 March : Bounty treated 850 USD 11 March : insect patched