An Easy RACE CONDITION Bug That Made Me Fame

How i did it?

After decades of searching for a program that truly fits me :D, I finally found one, I started to use it like a real user and this helps a lot, noting everything such as oh, i found a login page, register, reset function, ..etc.

Now, looks like i have a good starting point and a focused mindset. So, i started with some basic tests for the login, register page and the password reset function.

Okay, i love this part. Every time i test the reset function, I brainstorm ways to achieve an Account Takeover (ATO), that’s really make me feel like a real hacker :D

So, I tried a lot of good techniques while testing the reset function. You can check out some of them in my last Vulnerable Lab.

But sadly, I didn’t succeed :(

Hey you, we can’t just give up! ( talking to myself :D ). So, I kept testing the app. It’s a site for sharing photos, posts, and memes.

I made a new post and noticed there were reactions and comments, just like any social media app. I focused on rate limiting and tried to get some likes on my post using a race condition, but as usual, I failed xD.

When I saw the comment section, I had some ideas. First, You need to know that the site doesn’t allow the publisher to delete other users’ comments — only the user can delete their own comment. I tried to bypass that, but yeah, I failed again :(

Now, something really caught my attention — the comment section again. This time, I noticed that I could react to comments by Upvoting/Downvoting them, which affects user reputation/points. So, yeah, I tried a race condition here.

Step by step

1- I registered two users on the app.

2- Uploaded an image using user_1.

3- Commented on this image using user_2.

4- Switched back to user_1 and upvoted user_2’s comment.

5- I intercepted the API request using Burp Suite, and it looked like this:

6- I sent this request to the Turbo Intruder extension in Burp Suite using a simple Python script and hit the Attack button.

Now, if we go to this comment, we see that we finally hacked it !!

As you can see, when we sent the request to the endpoint /vote/up?client_id=* using Turbo Intruder, the comment's points decreased, and the user's reputation/points changed too.

Who’s the fame now xD ??

After that, I started writing my report to them, and I guess I’ll keep testing this app. It seems like it’s full of more surprises!