 |
| Creating an Account with Non-Existent name |
This is a POC. Askmebazaar.com - POC - No Validation/Authentication Code
In last two months I discovered and reported a lot of bugs on a lot of different websites. During that time I found bugs in major ecommerce sites as well. Last month I posted about the Justdial.com bug and now this month I am sharing my experience with Askmebazaar.com.
Note: Being a responsible software engineer/security researcher, I reported the issue to AskMe and it is patched now.
What was the security flaw?
First Flaw was logical this time. No Authentication/Validation code. Yes, developers were lazy to implement a verification module. Anyone could register on Askmebazaar.com with a fake id and login to that account without verifying your email or mobile, great isn't it? I made a few too ;)
 |
| I am logged in with my fake email : Hey24sheep |
As you can see that I created a fake email in the first image and logged into my account using the same email id.
What is the use of this fake account you may ask?
Well, this fake account gave us access to Order List. Isn't it great that you can get access to order list of other people using a fake account without even doing any injections or anything? All those orders are cancelled orders though but still it is something which can give access to more injection points.
Second Flaw was you could Hijack Other User Accounts using "Forget Password" and Change Their Email & Everything. When there is no verification then that means there will be no verification in resetting. Anyone who knew someone's email id could go to forget password and then enter the victims email id after that their servers gave access to Change Password page without any verification. To verify this I created another fake account but stupid of me, I forgot to take a snap of change password screen. I hate myself :(.
 |
| Fake Account Before hijacking |
 |
| After I changed the password I could change emails and everything |
So this is it guys, another logical flaw in coding which created a serious privacy issue. Askme has fixed this issue and created an all new login and register page which uses only OTP and Mobile (I don't think they know how to verify emails, lol).
I want you guys to know that I emailed and tweeted AskMe for a month to let them know that there is a flaw and I didn't got any reply No Emails, No Calls, No thank you email, Nothing. But, they did fixed it without letting me know or updating me not even a courteous thank you email or call or tweet.
People should learn to give credit and respect instead of forcing good white hats to go black hat.
You can Hire me for full time/freelance custom software/web development, security analysis and graphic designing work.
Follow me on @MRKN_Destroy
Email me at : hey24sheep@gmail.com.
Check my wonderful FREE app for Deaf and Mutes
Text Is Speech and Text Is Speech Pro -- (Search for "NEETTECH")
Android: https://goo.gl/iqF4nW
Windows : https://goo.gl/jOf6sX
Windows (Pro Version- Paid) : https://goo.gl/e1l637
You can Hire me for full time/freelance custom software/web development, security analysis and graphic designing work.
Follow me on @MRKN_Destroy
Email me at : hey24sheep@gmail.com.
Check my wonderful FREE app for Deaf and Mutes
Text Is Speech and Text Is Speech Pro -- (Search for "NEETTECH")
Android: https://goo.gl/iqF4nW
Windows : https://goo.gl/jOf6sX
Windows (Pro Version- Paid) : https://goo.gl/e1l637
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.