BOOK THIS SPACE FOR AD
ARTICLE ADYo, what’s up fellow hackers! I’m back with another story about my latest finding on this eyeglasses website. It’s more of a storytelling vibe than a write-up, ’cause honestly, I don’t think it’s got any mind-blowing insights or anything.
So, picture this: My friend and I just got out of class, and we’re randomly be like, “Let’s find some blue control glasses!” Like, out of the blue. And after a while, I stumble on this random site with these totally fire front-end, and we’re all, “Yo this is the one!” And LOL, in that moment, I didn’t know I was about to go on some adventure with this website 😂
So, after browsing for a bit, I was like, “Alright, let’s sign up and see what’s good.” Oops, made a typo in my name (classic me 🤦♂️), so I logged in with OTP and hit up the edit profile page to fix it. You know me, always got Burp Suite running in the background, so I couldn’t resist peeking at the edit profile request. And get this — in the response, there’s this field called userType. I was like, "Hold up, what's that doing there?👀” Seriously, why would they even show that to regular users?
The first thing that came to my mind was, “They put it in the response, so we’ll put it in the request.” I added it to the JSON request and set its value to “admin.” Bang! I’m admin now. Like, WTF bru? Please resist a bit — maybe I wasn’t that friendly! 😭
My next challenge was to find the admin panel, so I added the word admin as a subdomain, and we were there! xD Everything happened so fast, like, 2 to 3 minutes.
So, I hit up the login page, and there’s username and password fields, right? But hold up — I didn’t set any password when I signed up, just used OTP. what?🤔 I check out the profile section, thinking maybe I can set a password there. But nope, there wasn’t any functionality for that!
Then I remember that edit profile response from earlier. There was this empty password field just chilling there. So I add a password field to my request, set it to 123 (yeah, I know, super secure 😂), and Bam! The response shows the password changed to 123. Mass assignment for the win! 🎉.
So, I tried logging in with my new admin creds, and the form’s like “WRONG!” No explanation, just “WRONG!” 🙄 I was like, maybe I messed up the userType? What if it's not "admin" but something fancy like "owner" or "bigboss"? 🤔 To test it out, I tried adding a random name to see what would happen. The response? It changed to an empty string. Good news, right? Looks like "admin" was the correct type! 💯
Then I had this big brain moment about how login stuff works! 🧠💡 The password you type in gets all scrambled up (hashed) before it’s checked against what’s in the database. But I was like, “Wait a sec, how am I gonna figure out the secret sauce (salt) they use?” 🧂
After some serious thinking (and maybe a snack break 🍕), I had this wild idea. There was this OTP_Code thingy in the edit profile response - looked like a bunch of random letters and numbers. So I thought, "What if...?" 🤔
I copied that weird code and slapped it into the password field. Then, when logging in, I used the last OTP code they sent me as the password. And guess what? BOOM! I was in.
I reported the bug to the admin. Amazingly, they rewarded us with one free blue controll glass we were originally looking for! This was especially generous since they didn’t even have an official bug bounty program. I’m really impressed by how positively they responded to the report! 🙌🏻
So yeah, I basically wrote this whole thing just to show you can use another hash from the app as a password. xD. Hope you all had as much fun reading this as I did hacking it! Stay curious and keep exploring, fam! 🚀.