Categories
Bug Bounty

IDOR Leads To Leak Any Uber Eats Restaurant Analytics

Hi fellow Hackers,
At first Ramadan Kareem! Wishing everyone a very happy Ramadan. Today I will write about an Insecure direct object references (IDOR) vulnerability that I recently discovered in Uber Eats Restaurant.

The Uber Eats Restaurant web application at https://restaurant.uber.com/ is using GraphQL. Back in March, I was doing a collaboration on a Uber report with Sifat Bhai. On that engagement, he discovered an IDOR in GraphQL that leaks data of other Restaurants but that leaked data was not giving any sensitive information to make a report on it. So I decided to take a look at that functionality.

Issue Background: In the Uber Eats for Restaurant dashboard, there is an Analytics option where store owners can see Restaurant Analytics of the last 12 months. Analytics endpoint looks https://restaurant.uber.com/v2/home/{locationUUIDs}/analytics/sales where multiple GraphQL requests pullup all data and parse it in that webpage to a readable view. Now I noticed all those requests contain locationUUIDs parameter like "locationUUIDs":["0292a209-df33-496b-b65b-192c86603d48"]} where 0292a209-df33-496b-b65b-192c86603d48 is my own test account locationUUIDs value. When I changed the locationUUIDs value to another account locationUUIDs value it responded the same with some JSON data in the body that took my attention. But still response body data is not helpful as it is not properly readable and in order to read the data we need to parse it through the webpage.

Automation with Burp: To do the data parsing job I used Burp Suite Tool’s Match and Replace option.

  1. In Burp go to Proxy => Options => Match and Replace
  2. Click on Add and set up a rule like the below screenshot where Match value is my own restaurant’s locationUUIDs and Replace value is any other restaurant’s locationUUIDs.

    Match-and-Replace

  3. I also added a rule like the below screenshot to change the currency from BDT to USD to get all analytics in USD currency.Currency Match and Replace

Final Exploit

  1. Visit https://restaurant.uber.com and log in using a valid restaurant account username and password and do proper authentication.
  2. Now setup Burp Suite Tools with that browser and keep Intercept OFF
  3. Visit https://restaurant.uber.com/v2/home/{victims_locationUUIDs}/analytics/sales
  4. All request of the browser will go through Burp & Match and Replace rule will replace all locationUUIDs parameter value and all data will parse into a readable view on that webpage.Sales dataSales by Item

Impact

An attacker can access all analytics of a restaurant what includes actions

  • Choose a date range to see that date range analytics.
  • Orders analytics view and Clicking on Download will Download a CSV copy.
  • Track orders placed over time to monitor a restaurant’s popularity.
  • Track ticket size over time to see if a restaurant’s receiving larger orders.
  • Learn when a target store tends to generate most of its sales.
  • Learn when customers tend to place the most orders in a target restaurant.
  • Learn when customers tend to place the largest orders in a target restaurant.
  • See which items are a restaurant’s top sellers.

To exploit a stored attacker just needs the locationUUIDs parameter value and I showed the Uber Security team a promising way to fuzz the value for any restaurant. This vulnerability was reported in report #1116387 under Uber Bug Bounty Program and $2,000 Bounty was Rewarded. Check out the video POC too.

Hope you guys enjoyed this one. 

#Stay_Home
#Stay_Safe
#Wash_Your_Hand_Frequently
#Hack_The_Planet🔥

Categories
Bug Bounty

How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys,
This is one of my old finding adding to my blog. Recently I disclosed a POC on How I was able to get all vine user’s sensitive Information including Phone no/IP Address/Emails and Many more that was reported to Twitter and they patched it and rewarded me 7560$. Those who missed it you can get the Orginal Report Here.

Today I am going to disclose another Information Disclosure vulnerability that was reported by me to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 5040$ for this report.

When I testing vine API Endpoints I noticed an Endpoint that uses in the Vine Repost mechanism have a Parameter Named "ipAddress" with some plain Number value Like: 2130706433. We all know Ip Addresses look like: 127.0.0.1, But the value of the "ipAddress" looks invalid. Then when I tried to search about it on google I came to know that the value is valid. Actually, it was Converted to IP Address to Long/Decimal format. So I used an Online Converter tool and was able to get the real Ip.

Vulnerable Endpoint: https://vine.co/api/timelines/users/<POST_ID>

Reproduce
  • To reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline.
  • So Copy a Reposted Vine POST_ID and place it in the Endpoint and visit it. Example: https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by the twitter security team)
    “repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue on Jan 26th and they paid me 5040$ for reporting this on Feb 25th.

5040$ from Twitter
5040$ from Twitter

Thanks for reading. Happy Hunting.

Categories
Bug Bounty

Vine User’s Private information disclosure

What is Vine?

Vine was an American social networking short-form video hosting service where users could share six or seven second-long, looping video clips. It was founded in June 2012; American microblogging website Twitter acquired it in October 2012, well before its official release on January 24, 2013.

Today I will write about a Critical Insecure direct object references (IDOR) vulnerability that will lead to Information Disclosure which allowed me to get any Vine user’s sensitive information including Ip address/phone no/email.
I reported this bug to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 7560$ for this report.

 7560$ reward from Twitter Vine

7560$ reward from Twitter

Vine has stated this vulnerability on their Vine blog Post and also Hackerone mentioned this vulnerability in HackerOne Zerodaily Newsletter.

Vulnerable Endpoint: https://vine.co/api/users/profiles/<User_Id>

When I was testing vine domains for something interesting. I noticed the Endpoint what response was giving my account all information. I thought this is normal as many sites have this type of endpoint that shows login user’s information. So again I thought let’s try to exploit this with CORS if it is miss-configured. But CORS Policy was in place. Then I changed the user-id value to a random number and I got shocked that someone else user information was in front of me. By changing the user_id value I was able to get all information about that vine user.

Reproduce
  • Choose any user to get his all information and collect his User_ID
  • Now place the User-ID in the https://vine.co/api/users/profiles/<User Id> endpoint and visit it.
  • You will get a response in the body.
    {“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “https://vine.co/████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “http://v.cdn.vine.co/r/avatars/████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}
  • Take a closer look in response and you will get a lot of private info about the user [ all information was removed by Twitter security as those belongs to other users ].
  • Some of them are
    “platforms”: [“android”, “ios”]
    “flaggedCount”: 7579
    “twitterId”: “█████████”
    “phoneNumber”: “█████”
    “location”: “Los Angeles California”
    “modified”: “2017–01–29T01:24:00.000000”
    “notificationsLastViewed”: “2016–04–26T21:03:35.000000”
    “email”: “█████████”
    “created”: “2013–04–13T19:30:31.000000”
    “lastLogin”: “2016–12–13T23:29:40.000000”
    “ipAddress”: “█████”

Here Even ipAddress/email/phone is being disclosed. So an attacker can use this info and do malicious attacks on any vine user. An Attacker can dump all user information.

This will also affect Twitter users as vine users can use their Twitter account access to login to vine services. I have got the same vulnerability on another bug bounty program Edmodo’s website.

Thanks for reading. Happy Hunting. 😀

Categories
Bug Bounty

External link warning page bypass in Zerocopter

Description:

zerocopter.com is a bug bounty platform for Ethical hackers just like Hackerone. In Zerocopter reports, users can use Markdown. Users are also allowed to give external links in reports. If a user clicks on the External link in reports then it takes the user to an external warning page like the below screenshot

Zerocopter external warning page
Zerocopter external warning page

But I was able to bypass the external warning page and redirect a user to an external link without any warning page by using Markdown

<http:1249723505> 
[Click Me](http:1249723505)

Note: In the above markdown 1249723505 this is the IP of google.com [ 74.125.68.113 ] converted into Long/Decimalusing this tool.

Reproduce
  • In a report I used [Click Me](http://google.com)</code> this markdown and the response was :
    <a href="/external_redirect?href=http%3A%2F%2Fgoogle.com" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I used [Click Me](http://74.125.68.113) this markdown and the response was
    <a href="/external_redirect?href=http%3A%2F%2F74.125.68.113" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I thought let’s mess up with the Protocol and changed the markdown to [Click Me](http:/google.com) and still no bypass.
  • Then I was about to use [Click Me](http:google.com) but I accidentally used [Click Me](http:google) where I forgot to give .com TLD at last in domain name in the markdown and I noticed a hope in response
    <a href="http%3Agoogle" rel="noreferrer" target="_blank" title="">Click Me</a>
  • By analyzing the behavior I got that if I use a domain name like http:google then I can bypass the external warning page. Then I remembered the IP Long/Decimal encode.
    So I used this tool to encode google.com IP to Long/Decimal** and the final markdown become [Click Me](http:1249723505) and bingo 😎

    <a href="http%3A1249723505" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Now when a user will click on the link it will take the user directly to google.com instead of the external warning page. Then I reported this to Zerocopter on their responsible disclosure page and they fixed it and send me a Cool T-shirt and stickers as a reward.

Cool T-shirt and stickers as reward
Cool T-shirt and stickers as reward

Thanks for reading. Hope this will be helpful for you guys.