by harshjaiswal · Posted March 27, 2016 · Updated April 12, 2016
Badoo Membership Takeover – Insect Bounty POC
Note that the blog post is created by extreme Jaiswalas & any error written down is going to be amused best from your We let anyone to create articles on all of our web log as a guest/contributor so additional may also learn.If you’re into revealing your acquiring through Bug Bounty POC program simply join on website and you may upload freely.
Many thanks Bharat & Behroz for this amazing system I’m beginner, soon i ll share my more 2 FB problem complete value 3000$
Hey every person available ! Nowadays i want to display my personal searching of Badoo from which I will takeover any person membership by offering him/her a poisionous website link
Badoo try a dating-focused social network services, founded in 2006and headquarters in Soho, London. Your website runs in 180 nations and is also most popular in Latin America, Spain, Italy and France. Badoo ranks once the 281st preferred websites on the planet, in accordance with Alexa websites at the time of April 2014. Your website functions on a freemiummodel. To increase higher properties, a person will pay a fee or enable Badoo to e-mail all his/her company.
First of all i want to give thanks to my buddy Rudra whom usually convince me personally He offered me personally a straightforward back link and that I took out an account takeover from this
The bug was really easy, it really works on a CSRF & A token missconfiguration. And just valid for
Whenever we import pictures from Twitter or Instagram they lack any anti-CSRF token, the myspace token which generated via Badoo is valid for everyuser. Now i can render a link to a person of my fb levels to transfer pictures, if user will push okay after that pic might be brought in to his accounts.
But exactly how I managed to get an takeover right here ?
Finished . i realized that the web link generated is replace the user FB connected profile with attacker’s FB accounts while the best part was actually user just need to see website link no terminate or ok pressing needed.
Now an assailant can login via FB and fully takeover the account and that can access all his speak, personal photographs and everything
The insect was patched within 2 days of intial report. Advantage ($850) had been rather much less from my expectation .
Methods to replicate was :-
1 -Create two Badoo levels assailant & prey and back link 2 diff fb levels in every one of them
2- Login as ‘attacker’ and go to transfer photos via fb and replicate the hyperlink from Address bar
3- today login as ‘victim’ in diffrent web browser and open the web link and then click terminate.
4- FB profile of ‘victim’ are substituted for FB profile of ‘attacker’ (taken off ‘attacker’ one)
5-Login via attacker’s FB account and will also be signed in as ‘victim’ membership
Congo u merely hacked prey accounts
A Military dating service lot more explanation
Guess a user have a free account of attacker ‘A’ with FB connected which ‘FB-of-A’ and a prey accounts ‘B’ with fb linked and that’s ‘FB-of-B’ now assailant develop a link to transfer photos from his fb and give they to victim ‘B’ he starts it and hit cancel but this has changed their FB profile ‘FB-of-B’ to attacker’s FB membership ‘FB-of-A’, and today attacker can login with his fb profile in victim’s badoo fund.
I could talk to my sufferer on Badoo and can has hacked his/her membership in 5 minutes
09 March : Reported 10 March : Bounty treated 850 USD 11 March : Bug patched