Prial Islam

Publication Takeover P0C By Prial

Unclaimed Medium Publication takeover in WeTransfer

Today I will share a Security issue I found on WeTransfer. WeTransfer has a paid bug-bounty program under Zerocopter. So I start testing their sites. While I was brute-forcing wetransfer.com with DIRB script I got some directories what was redirecting users to the Medium Publication link. Those directories look like

    https://wetransfer.com/blogger (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferger')
    https://wetransfer.com/bloggers (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfergers')
    https://wetransfer.com/blogindex (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferindex')
    https://wetransfer.com/blogs (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfers’)
    https://wetransfer.com/blogspot (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferspot')
    https://wetransfer.com/blog_ajax (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_ajax')
    https://wetransfer.com/blog_inlinemod (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_inlinemod')
    https://wetransfer.com/blog_report (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_report')
    https://wetransfer.com/blog_search (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_search')
    https://wetransfer.com/blog_usercp (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_usercp')

Now When I visited the location link https://medium.com/wetransferger I got error like below screenshot

404 error on medium
404 error on medium

Now I go to https://medium.com/me/publications and Created a new publication using the same name wetransferger and I got the publication link under My control and was able to place anything on the publication like the below screenshot

Publication Takeover P0C By Prial
Publication Takeover P0C By Prial

Now whenever a User will visit https://wetransfer.com/blogger it will take the user to my Medium Publication. I was able to claim 5 Unclaimed Publications. All others were not exploitable as they used _(Underscore) in the medium link and in medium _(Underscore) is not allowed as a Publication link.I reported this issue to WeTransfer Bug Bounty Program and they rewarded me with 100 Euro + 1year WeTransfer Plus Account.

wetreansfers response
wetreansfers response

Conclusion: If you are using medium publications link with your site make sure it’s valid and claimed by you.

Thanks For Reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

@naglinagli @0xCOD3 Congratulations @0xCOD3 , waiting for the workflow on this ❤️ Read More

Jan 27 2021, 8:20 am

@imranHudaA @naglinagli @PrettyRecon I can see 5 subdomain. One is base domain here. Read More

Jan 26 2021, 5:34 pm

@BrianBitange1 @naglinagli You got my github endpoints what I used to takeover 😷 Read More

Jan 26 2021, 1:43 pm

@Bugcrowd MVP swag arrived 🥰🔥 #BugBounty #ItTakesACrowd ❤️ https://t.co/rEU62Mvhc1 Read More

Jan 06 2021, 1:45 pm

2021 started with @Hacker0x01 #Hacker0x01 #TogetherWeHitHarder ❤️ https://t.co/s6vVGhD2XU Read More

Jan 05 2021, 7:38 pm

RT @hunter0x7: https://t.co/JMOjrkXlAN Read More

Jan 05 2021, 12:13 pm

Recent posts