.png)
2 months ago
32 BOOK THIS SPACE FOR AD
ARTICLE ADExplore how a basic GitHub search revealed significant security issues in Hotstar’s admin panel. This write-up outlines the flaws discovered and offers guidance on how to address and prevent similar vulnerabilities.
Hello Everyone I am Vishal Vishwakarma [@rootxvishal] I hope you enjoy it and learn something new from it.
Hotstar, one of India’s leading streaming platforms, has gained immense popularity for its extensive library of movies, TV shows, and live sports. As with many large-scale online services, securing sensitive areas such as admin panels is critical. Recently, I discovered a vulnerability that allowed me to gain unauthorized access to Hotstar’s admin panel using a GitHub dork. In this article, I will guide you through the process of how I identified this vulnerability, from initial reconnaissance to the exploitation phase.
The first step in my reconnaissance was subdomain enumeration. I used various tools to gather all the subdomains associated with the target website. Subdomain enumeration is crucial for discovering hidden parts of a website that might not be immediately visible.
Here’s a rundown of the tools and commands I used:
Subdomain Discovery Tools:Subfinder: A powerful subdomain discovery tool that performs passive reconnaissance.Amass: A tool designed for advanced network mapping and subdomain enumeration.Example commands:
subfinder -d example.com -o subdomains.txtamass enum -d example.com -o subdomains.txt
2. Filtering Live Domains: Once I had a list of subdomains, the next step was to filter out the live domains. I used the following commands to achieve this:
cat subdomains.txt | httpx -o urls.txtcat subdomains.txt | httprobe | sort -u >> list.txt
3. Extracting Useful Information: With a large number of URLs, I wanted to avoid manually inspecting each one. Instead, I used httpx to fetch the titles and status codes of the URLs, which helped me quickly identify interesting targets.
cat list.txt | httpx -title -status-code -fr -o result.txtThe result file contained valuable information, such as page titles and HTTP status codes, which made it easier to spot potential login panels or other interesting areas.
Among the various URLs, one page title stood out: “Admin — Log In”. This was a strong indication of an admin panel that could be a potential target. I attempted to bypass the login panel but was met with no success.
Determined, I moved on to fuzzing directories using ffuf, but this approach did not uncover any new directories or endpoints. Not ready to give up, I decided to delve into the JavaScript files of the admin panel, searching for hidden secrets or configurations. I utilized tools like TruffleHog and SecretFinder but found nothing of interest.
Dorking for Hidden Information
With traditional methods exhausted, I turned to dorking — using specific queries to find hidden information. I used both GitHub and Google dorks, searching for mentions of the admin panel and related data. Some example dorks included:
org:target*.target.*“site.com” passwordThese queries led me to several repositories and directories on GitHub where the URL appeared. In one repository, I discovered source code that included development credentials. These credentials were in Base64 encoding, which I decoded using a Base64 decoder tool online.
Exploiting the Credentials
With the decoded credentials, which included an email address and password, I attempted to log in to the admin panel. To my astonishment, the login was successful. I found myself in the admin panel, where I had access to various critical functionalities
User Management: Adding and removing users from the platform.Ad Creatives: Creating, modifying, and deleting advertising content.Billing Details: Viewing and modifying billing information, including advertiser names.Request Approvals: Approving or rejecting requests and invoices.This level of access provided me with complete control over Hotstar’s advertising operations and billing processes, highlighting the critical nature of securing administrative interfaces.
The impact of this vulnerability is substantial and multifaceted:
Unauthorized Administrative Control: Attackers gaining admin access can manipulate and control critical aspects of the Hotstar platform, including user accounts and advertising content. This could lead to unauthorized changes that disrupt service and undermine user trust.Financial Risk: With access to billing details and financial information, attackers could commit fraud, alter financial records, or mismanage funds, posing a serious financial threat to the company.Operational Disruption: The ability to approve or reject requests and invoices without authorization could disrupt business operations, causing delays and potentially affecting revenue streams. This could also harm the company’s operational efficiency.Data Exposure: Sensitive data about advertisers and financial transactions could be exposed, risking privacy violations and compromising data integrity. This could damage the company’s reputation and erode customer trust if confidential information is leaked.To address this vulnerability, several key actions are needed to secure the admin panel and prevent unauthorized access.
Implement strict access controls to ensure only authorized personnel have administrative privileges.
Use role-based access controls (RBAC) to limit what different user roles can view and modify within the admin panel.
Use secure methods such as environment variables or secret management tools to handle credentials and configuration data.
Reporting and Recognition
After discovering this significant vulnerability, I promptly reported it to the Hotstar security team. I’m pleased to share that they responded with impressive speed and professionalism. The team acknowledged the vulnerability, quickly patched the issue, and took steps to enhance their security measures.
In recognition of my efforts and contribution to improving their platform’s security, Hotstar rewarded me with some fantastic swags. It was incredibly gratifying to receive such acknowledgment, and the reward was a wonderful bonus.
I hope you have enjoyed it and learned something new from it, if yes please hit the clap button and to discuss similar stuff connect with me:
Profile Links:
Twitter: https://x.com/rootxvishal
LinkedIn: https://www.linkedin.com/in/vishalvishw10/
Instagram: https://www.instagram.com/rootxvishal/
Bengali (Bangladesh) · 
English (United States) ·