Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts

Medium
B
Bumble
Submitted None
Actions:
View on HackerOne
Reported by tikoo_sahil

Vulnerability Details

Technical details and impact analysis

Cross-Site Request Forgery (CSRF)
Hello , ##Summary :- I would like to report a __Csrf__ bug that i found today that can cause deletion of any victim's account and also I was able to __erase all imported contacts of victim__ on sub-domain--->_m.badoo.com_ . When attacker send a crafted malicious html file to victim and as soon as the victim opens the file and clicks on submit button(I m using submit button for demonstration purposes) , a delete _POST_ request is made to m.badoo.com and the account of victim gets deleted. In a much similar way i was able to make an html file that when opened up by victim would erase victim's all imported contacts. (Note--->victim must possess an active session). ##Reproduction steps :- >>Basically when i was capturing the request and response http headers in burpsuite , it basically caught my eye that there was no use of csrf token being implemented here, so I crafted two html files one for erasing imported contacts and another one for deleting accounts on m.badoo.com . Also , as the content-type was __json__ so parser introduced "=" at the end of content in header, but it was bypassed by adding _"ignore_me":"' value='test"._ 1) Create 2 html files one for deletion and one for erasing contacts(both files have been attached) 2)send the html file to victim(victim should have an active session) 3)after clicking the submit button in both the html files , one will lead to deletion and other one erasing victim's contacts. Below images describe the results :- 1) results of deleting account ---> {F144646} 2) results of erasing contacts ---> {F144647} ## Attack Scenario and Patch :- Attack scenario can be critical as an attacker would be able to delete and erase contacts of any person who has an account on m.badoo.com sub domain . Patch for the above scenario can be using __CSRF token__ that must be random and keep on changing for every outgoing request to m.badoo.com ##Proof-Of-Concept:- _I have attached html files , image poc for the above attack scenario_ Video PoC demonstration :- I have uploaded an unlisted video on youtube , here is a link :- https://youtu.be/rWm1RGXyK7I regards tikoo_sahil

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$280.00

Submitted

Weakness

Cross-Site Request Forgery (CSRF)