Badoo Account Takeover – Bug Bounty POC
This post is published by Harsh Jaiswalas a contributor on Bug Bounty POC .Note that the post is written by Harsh Jaiswalas & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.
Thanks Bharat & Behroz for this awesome platform 🙂 I’m newbie, soon i ll share my other 2 FB issues Total worth 3000$
Hey everyone out there ! Today i wanna share my finding of Badoo.com from which i can takeover anyone account by just giving him/her a poisionous link 😆
Badoo is a dating-focused social networking service, founded in 2006and headquarters in Soho, London. The site operates in 180 countries and is most popular in Latin America, Spain, Italy and France. Badoo ranks as the 281st most popular website in the world, according to Alexa Internet as of April 2014. The site operates on a freemiummodel. To gain extra features, a user can pay a fee or allow Badoo to email all his/her friends.
Lets start 😉
Firstly i wanna thank my friend Rudra who always encourage me He given me a simple link and i took out an account takeover from it 😈
The bug was really very simple, it works on a CSRF & A token missconfiguration. And only valid for https://m.Badoo.com
When we import photos from Facebook or Instagram it do not have any anti-CSRF token, the Facebook token which generated via Badoo is valid for everyuser. Now i can give a link to a user of my fb account to import photos, if user will press okay then photo will be imported to his account.
But how i got an takeover here ?
The thing i noticed that the link generated is also replace the user FB linked account with attacker’s FB account and the best part was user just need to visit link no cancel or okay pressing required.😛
Now an attacker can login via FB and fully takeover the account and can access all his chat, private photos and everything 😂
The bug is patched within 2 days of intial report. Reward ($850) was pretty less from my expectation 😥.
Steps to reproduce was :-
1 -Create two Badoo account attacker & victim and link 2 diff fb account in each of them
2- Login as ‘attacker’ and go to import photos via fb and copy the link from URL bar
3- Now login as ‘victim’ in diffrent browser and open the link and click cancel.
4- FB account of ‘victim’ is replaced with FB account of ‘attacker’ (Removed from ‘attacker’ one)
5-Login via attacker’s FB account and you will be logged in as ‘victim’ account
Congo u just hacked victim account
Suppose a user have an account of attacker ‘A’ with FB linked which ‘FB-of-A’ and a victim account ‘B’ with fb linked which is ‘FB-of-B’ now attacker create a link to import photos from his fb and give it to victim ‘B’ he opens it and press cancel but this have changed his FB account ‘FB-of-B’ to attacker’s FB account ‘FB-of-A’, And now attacker can login with his fb account in victim’s badoo account.
I can chat with my victim on Badoo and can have hacked his/her account in 5 minutes 😝
09 March : Reported
10 March : Bounty Rewarded 850 USD
11 March : Bug patched
Proof of Concept