How I was able to Harvest other Vine users IP address

Hello BugBountyPoc viewers,This is Prial again . Today I will share about another Information disclosure Vulnerability which was leaking users IP address . Last time I disclosed a POC on How I was able to get all vine users sensitive Information including Phone no/ IP Address / Emails and Many more what was reported to twitter and they patched it and rewarded me 7560$ . Those who missed it you can get the POC Here and Orginal Report Here .

When I testing vine API Endpoints I noticed a Endpoint what uses in Vine Repost mechanism which have a Parameter Named “ipAddress” with some plain Number value Like :- 2130706433 . We all know Ip Addresses look like :- 127.0.0.1 . But the value of the “ipAddress” looks invalid . Then when I tried to search about it on google I came to know that the value is valid . Actually it was Converted to IP Address to Long/Decimal format . So I used a Online Converter tools and was able to get the real Ip . ( Online Converter I used )
 ##
Vulnerable Endpoint : https://vine.co/api/timelines/users/<POST ID>
 ##
Reproduce :
  • TO reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline .
  • So Copy a Reposted Vine POST ID and place it in the Endpoint and visit it . Example : https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The contents was removed by twitter security team ) :-
“repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the IP address value is converted now Just Use my give online tool to again convert it to valid ip address value .
I reported this issue in Jan 26th and they paid me 5040$ for reporting this on Feb 25th . Main Report :- https://hackerone.com/reports/201300

This is for today . Hope you guys will like it .

Thanks for Reading .

 

Prial Islam

A teenager boy with passion of Breaking Security .

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *