How I Hacked Hackers Account

🔱‼️#ॐ_Har Har Mahadev_ #ॐ ‼️🔱

👨‍💻 I’m Shuvo Kumar Saha, also known as Syper Shuvo — a passionate Security Researcher and Bug Bounty Hunter 🕵️‍♂️ from 🇧🇩 Bangladesh.

In this blog, I will share How I Hacked Hackers Account via IDOR Bug.

Let’s Start

I Normaly practics dorking and analyzing h1 archived url, when i filter Embedded url with update date suddenly I see A new program Lunch. Then Visit. It VDP private program with main domain in scope. Target site is like defacement mirror type. Hackers host their hacked site as a mirror.

Inside My Hacker Mind Say Let’s Hack Hackers Account.

I Fire Up my Burp and Create 2 account into Firefox browser, Guys You Guess Which Bug I try to find. I create 2 account and analyzing Every parameter. 🕵️

After Analysis, both accounts userid unguessable🤔

Then I open New browser with Same login page without logined any account. Frist, I check page parameter with cookie editor extension, which parameter are there? There are 3 basic parameters, at this time my hacker mind says let's add userid parameter with previous created account id. Quess what 😲

I login account without any authentication into new browser via help with user id.😀

How I get Others account Id. is not guessable? How You Hack any user? There is massager group type feature you can add any hacker help with hacker account username. Then you add any hackers with their username. there is leak guessable userid of hacker.

Simple get userid and go to login page and edit or add userid = hacker_userid 🔥

There is No authentication Required when add userid.

Cheers✌️and thanks for Reading at the end of this Article. if I Need Any Improvement kindly drop your response. Never Forget To Subscribe my YouTube Channel✌️➡️ 0xshuvo

🧑‍💻 Connect with Me🔗 Linkdin & X

Have a great day, see you later!