Prial Islam

Publication Takeover P0C By Prial

Unclaimed Medium Publication takeover in WeTransfer

Today I will share a Security issue I found on WeTransfer. WeTransfer has a paid bug-bounty program under Zerocopter. So I start testing their sites. While I was brute-forcing wetransfer.com with DIRB script I got some directories what was redirecting users to the Medium Publication link. Those directories look like

    https://wetransfer.com/blogger (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferger')
    https://wetransfer.com/bloggers (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfergers')
    https://wetransfer.com/blogindex (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferindex')
    https://wetransfer.com/blogs (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfers’)
    https://wetransfer.com/blogspot (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferspot')
    https://wetransfer.com/blog_ajax (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_ajax')
    https://wetransfer.com/blog_inlinemod (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_inlinemod')
    https://wetransfer.com/blog_report (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_report')
    https://wetransfer.com/blog_search (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_search')
    https://wetransfer.com/blog_usercp (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_usercp')

Now When I visited the location link https://medium.com/wetransferger I got error like below screenshot

404 error on medium
404 error on medium

Now I go to https://medium.com/me/publications and Created a new publication using the same name wetransferger and I got the publication link under My control and was able to place anything on the publication like the below screenshot

Publication Takeover P0C By Prial
Publication Takeover P0C By Prial

Now whenever a User will visit https://wetransfer.com/blogger it will take the user to my Medium Publication. I was able to claim 5 Unclaimed Publications. All others were not exploitable as they used _(Underscore) in the medium link and in medium _(Underscore) is not allowed as a Publication link.I reported this issue to WeTransfer Bug Bounty Program and they rewarded me with 100 Euro + 1year WeTransfer Plus Account.

wetreansfers response
wetreansfers response

Conclusion: If you are using medium publications link with your site make sure it’s valid and claimed by you.

Thanks For Reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

@ExposedInfosec @Nep_1337_1998 Damn 🤣🤣🤣 Read More

Jul 31 2021, 10:02 pm

@naglinagli @Bugcrowd @Hxzeroone Congratulations 🎉🍾 Read More

Jul 29 2021, 7:57 pm

@zin_min_phyo @Alra3ees @_justYnot @mdovi303 It’s edge case. Only possible if company created the DNS record... Read More

Jul 29 2021, 12:15 pm

@Rishabh51274497 @FlEx0Geek Most of time scanners will miss 90% of takeovers 😅 Read More

Jul 27 2021, 7:26 am

@AfrenchboyBoy That one is fixed but team is doing internal things before taking next steps... Read More

Jul 26 2021, 10:07 pm

@vm_sachin @0xpatrik blog is best resource out there ❤️ Read More

Jul 26 2021, 10:06 pm

Recent posts