Unclaimed Medium Publication takeover in WeTransfer

Today I will share a Security issue I found on WeTransfer. WeTransfer has a paid bug-bounty program under Zerocopter. So I start testing their sites. While I was brute-forcing wetransfer.com with DIRB script I got some directories what was redirecting users to the Medium Publication link. Those directories look like

    https://wetransfer.com/blogger (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferger')
    https://wetransfer.com/bloggers (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfergers')
    https://wetransfer.com/blogindex (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferindex')
    https://wetransfer.com/blogs (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfers’)
    https://wetransfer.com/blogspot (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferspot')
    https://wetransfer.com/blog_ajax (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_ajax')
    https://wetransfer.com/blog_inlinemod (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_inlinemod')
    https://wetransfer.com/blog_report (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_report')
    https://wetransfer.com/blog_search (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_search')
    https://wetransfer.com/blog_usercp (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_usercp')

Now When I visited the location link https://medium.com/wetransferger I got error like below screenshot

Now I go to https://medium.com/me/publications and Created a new publication using the same name wetransferger and I got the publication link under My control and was able to place anything on the publication like the below screenshot

Now whenever a User will visit https://wetransfer.com/blogger it will take the user to my Medium Publication. I was able to claim 5 Unclaimed Publications. All others were not exploitable as they used _(Underscore) in the medium link and in medium _(Underscore) is not allowed as a Publication link.I reported this issue to WeTransfer Bug Bounty Program and they rewarded me with 100 Euro + 1year WeTransfer Plus Account.

Conclusion: If you are using medium publications link with your site make sure it’s valid and claimed by you.

Thanks For Reading.

Post Views: 3,674

4 Responses

hotshot bald cop says:

April 13, 2022 at 7:50 AM

That’s a great point

Reply
canadian pharmacies online says:

May 10, 2022 at 8:31 AM

Thanks very interesting blog!

Reply
1. 0xPrial says:
  
  May 18, 2022 at 3:33 AM
  
  Thanks a lot for your feedback 😀
  
  Reply
hotshot bald cop says:

May 18, 2022 at 6:29 AM

I was just telling my friend about that.

Reply

Unclaimed Medium Publication takeover in WeTransfer

4 Responses

Leave a Reply Cancel reply

RECENT TWEETS

RECENT POSTS

The Art Of Zendesk Hijacking

Subdomain Hijacking Of Any Qwilr’s Customer

IDOR Leads To Leak Any Uber Eats Restaurant Analytics

How to Get Into Bug Bounties – Part 01

XSS WAF & Character limitation bypass like a boss

Unicode vs WAF — XSS WAF Bypass

Useful Link

Newsletter