Hey InfoSec Community,

This one is the last account takeover I found and wanted to share about it. It was a good chain of IDOR with some recon and understanding of the application.

So it was a crypto mining web app and developed by a Russian solo developer. At first glance, the app seems very secure because the crypto withdrawal process was not a single-step process. They were verifying the person’s identity also.

So I straight tried to test account takeover even though the impact was just knowing the amount of crypto assets victims have.

POC

  1. Created two accounts with email and noted the primary key of both accounts which was UUID. …


Hi Info sec community

Been long time I am not active in bug bounty and security. Since beginning of my hacking interest, Facebook HOF always special to me. Here is story of how little recon and bit weird testing got me Facebook HOF 2020.

POC

  1. I used waybackurls by tomnomnom to get all the urls of facebook.com domain.
  2. I wanted URL with app_id parameter in url . So using grep i extracted them .

https://www.facebook.com/sharer?u=https%3A%2F%2Fgoogle.com

Above URL is Facebook common sharing endpoint for sharing anything like facebook profile , video and external urls.

Later one URL caught my attention from extracted url txt file. …


Whats App Admin Panel Takeover : https://translate-dev.whatsapp.com

old write-up : https://immukul.blogspot.com/2017/04/facebook-bypassing-prohibit-embedding.html
Image for post
Image for post

DESCRIPTION:-

Hi all,

This post is about vulnerability that i found on whatsapp translate website which can leads to expose users email id. I was able to approve translation also.

Fun part is that i got E-mail ids of whatsapp founders Brian Acton and Jan Koum too.

One day i was going through website https://dnsdumpster.com/ and i tried to find subdomains of https://whatsapp.net. I found bunch of sub domains, there was domain https://tsl102.whatsapp.net/ which redirects to https://translate-dev.whatsapp.com .

POC:-

I have an account on https://translate.whatsapp.com site. So i tried log in into my account on https://translate-dev.whatsapp.com


Image for post
Image for post
old write-up : https://immukul.blogspot.com/2017/04/facebook-bypassing-prohibit-embedding.html

Descriptions:-

In Facebook, when user upload a video. user have option to prohibit embedding. In short these videos can’t be used on third party website.

Poc:-

I used this html code to embed public facebook video.

<iframe src=”https://www.facebook.com/video/embed?video_id={Video_id}%2F&width=500&show_text=false&height=280&appId" width=”500" height=”280" style=”border:none;overflow:hidden” scrolling=”no” frameborder=”0" allowTransparency=”true”></iframe>

TIMELINE:-

27/01/17:- Bug Reported

28/01/17:- Bug Acknowledge
08/03/17:- Bug patched
16/03/17:- Bounty Awarded


Image for post
Image for post

Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account: ezgcmmfgc@champmails.com
1. Go to the https://accounts.tokopedia.com/reset-password
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like https://accounts.tokopedia.com/otp/c/page?otp_type=132& email=ezgcmmfgc%40champmails.com&ld=https://account s.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter…

About

Mukul Lohar

lone warrior

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store