Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service

High
B
Basecamp
Submitted None
Actions:
View on HackerOne
Reported by tw4v3sx

Vulnerability Details

Technical details and impact analysis

Uncontrolled Resource Consumption
Summary : ========= after trying to change my initial name to something long i found out that their are no limits to how long it can be , so i directly changed it to something very long {F1050497} which caused my account to really slow down when accessing it and in **the android app , it just keeps crashing** whenever i open it ( no way to access my account at all ) + if i make it longer i get a **500 Internal Server Error response** which highly suggests that this can cause a **server side denial of service .** Description: ========== due to not checking the length of the name one can change it to a very long one causing both a server side denial of service and a client side one server side : ------------ one can send multiple requests to change the name of the account and each of them containing a very long name which will cause a 500 internal server error leading to an extensive Resource Consumption. client side : ----------- - if one is able to change the name another account he will also have the ability to crash his android app therefore preventing him from accessing his account. - if one with a long name sends a message to any email he will slowwwwww down everything where the message appears including folders (inbox , trash ..) and prevent him from accessing his contacts where the email's name also appears , because the app will hang on a loading screen for about 40min each time , and this can be more if for example he sends multiple messages or use multiple accounts ( each on with a long name ) to send a message to the victim mail. Proof of Concept: ============== 1. open `https://app.hey.com/contacts/%user_id_number%/user/edit`and change the name to the one attached {F1050497} and submit. 1. now u can't open the android app and u can slow down anyone's account just by sending them a message (or multiple ones). ## Impact - **Attacker can perform a DoS Attack against the server** - **slow down anyone's account** - **crash the android app**

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1000.00

Submitted

Weakness

Uncontrolled Resource Consumption