[Business Logic Bug]
Bypassing Nickname Feature

- 1 min

Summary:

Hello Guys, This is my first time to write a blog and sorry for my bad english :sweat_smile:

Last 3 months I found a simple Logic Bug one of public program on BugCrowd which I can modify the given nickname to me to any nickname I want. During the account creation there’s already a nickname assigned to my account which is designed as an unchangable. However I noticed that when changing the details of my account they used JSON format. My guessing instinct was so accurate :laughing: I tried to add Nickname parameter and thinking that what if I will make a request with adding nickname parameter and see if the nickname will change. The JSON request with nickname parameter was accepted in the response. Boom! I can bypass and changed my nickname whatever I want.

Proof of Concept

  1. Create/signup an account here: https://<redacted>.com
  2. Assuming the we have already created an account, now go to https://<redacted>.com/account and edit your details.
  3. Intercept the request and append this parameter called Nickname

Orginal Request

{"name":{"given":"redacted","family":"redacted"},"location":"redacted","bio":"redacted","phone_number":"redacted"}

Edited Request

{"name:{"given":"redacted","family":"redacted"},"Nickname":"BypassedNickname","location":"redacted","bio":"redacted","phone_number":"redacted"}

Timeline

Title of Report: Bypassing Nickname Feature https://<redacted>.com
Date of Report: 11 May 2019 04:43:41 UTC
Date of Resolved: 05 June 2019 12:53:44 UTC
Bounty Paid: $50

I hope you enjoy this write up and always remember Think Outside the Box! Thanks

Kent Bayron

Kent Bayron

Hacking | Travel | Gratitude

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora