How I Helped Secure Millions of Users’ Medical Reports — Bug Bounty!

2 weeks ago 28
BOOK THIS SPACE FOR AD
ARTICLE AD

Mohan Kumar N

Hello all, The target is an India-based company with numerous outlets across the country. They have a bug bounty program and so I began by conducting subdomain recon and proceeded to initiate my analysis. I manually go through subdomains and pick a few that might contain sensitive tokens in their URLs.

Example: URLs of mail.target.com might contain tokens which lets you edit the email preferences of other users :

i) https://mail.target.com/preferences?token=<blabla123 sensitive token>

ii) https://mail.target.com/preferences?token=<blabla1234 sensitive token>

After handpicking such subdomains, I push them to waybackmachine to fetch all the associated URLs. URLs of one particular subdomain “reports.target.com” contained many URLs, visiting them gave access to user’s medical report without any authentication. Immediately reported and got rewarded for this. This bug was patched in few days and I managed to bypass it.

What was the fix and how did I bypass?

This bug was fixed by implementing Mobile number authentication system, and the flow goes like:

1 => Patient visits the report URL
2 => Auth system which says:
Enter the Phone number that you gave during the time of your medical Test (******8390)
3 => Submit button.

Note that the last 4 digits of the ph number are disclosed.

So, the user has to enter their ph number which they gave during the time of medical test…but is there an OTP required ? or only the correct phone number is enough to access the report?

At this point, as I dont know the victim’s phone number, I was not able to confirm if there is an OTP required or not. I could have tried brute forcing the ph numbers but you know what I did😬.. I decided to get a medical test from one of the outlets near my locality..so that I will receive my own report link where I can enter my own phone number and confirm if there is an OTP required or not.

I visited the outlet and got a medical test and as expected I was asked to provide my mobile number to receive the test report. In few hours I received my report link via SMS message. I entered my phone number and confirmed that there is no OTP required to access the report.

So I directly jumped to brute force the mobile numbers.
Did I brute forced all the 10 billion probabilities ? NO

i) The last 4 digits of the ph number is already disclosed in the webpage. So I need to brute force the remaining 6 digits. So the probability is reduced from 10 billion to 1 million.

ii) In India, phone numbers start only from 6 or 7 or 8 or 9. So we can omit the numbers starting from 0,1,2,3,4 and 5 . Ultimately the probability is now reduced to 4 Lakh.

Using burp intruder I brute forced the 4 lakh probabilities and gained access to the patients sensitive reports. This is how I was able to bypass — as there was no OTP verification / rate limiting / Captcha verification .

Reported the bypass and got rewarded again!

Thanks for reading, and see you soon for a new adventure.

Contact :

LinkedIn : https://www.linkedin.com/in/mohankumar007/

Read Entire Article