How i was able to hack a Company via watching a YouTube video

9 months ago 77
BOOK THIS SPACE FOR AD
ARTICLE AD

Ahmad Mansour

Hello everyone, its Ahmad here, a penetration tester from Lebanon, without wasting time introducing, lets get into details of this bug.

In this article i will be explaining an outside of the box way of thinkin that helped me to access a company data on a recent pentest, with just watching a YouTube video, which actually i rarely see pentesters focusing on such scenarios where they tend to see demo videos of a company dashboard usage ( most of the time they would contain some hidden information, paths, entry points )

Yes as you heard, by just watching a YouTube video i was able to hack into their Dashboard and access all the users data.

The story started on a recent project that i had, lets call the company xyz.ae, its a company that handle Food deliveries for restaurants, upon agreeing with the client about the project, the scope was to test their mobile application and website.

As always, the first approach on a pentest would be to discover the client website and infrastructure more, just to understand what's the company is about and how does it work, which will help me later in finding more bugs and deciding which requires reporting or no

To make the pentest as normal as possible from an attacker perspective, i acted as client and asked them for a dashboard access as a normal Client privilege, and then they sent me.

So they sent me a YouTube tutorial about their dashboard and how it works

So i was watching the video as a normal user, if you zoom in abit, you can see that the person who is explaining the video, left an email and a passwords ( which is 3 chars/digits only )

And guess what ? ..

No i was not able to gain anything with those creds as they were an empty account for explanation purposes :(

After that i thought about something, if the employee itself is using a weak password for a demo account, could not be that a sign that most of them would be using simple passwords ?

So again, i assumed the password would be either 123/abc as it looks from the YouTube ***, and there is no password policy but the problem resides that i do not have any username ( admin, manager, etc. does not work )…

With quick searches, i was able to get a list of employes first name and last name ( LinkedIn, Facebook, just asking the name of the customer support whom you are talking to ), with a simple burp suite intruder i just tried the first names with mix of simple passwords, and …

And as you can see, i was able to access the main dashboard, and have admin privilege, and access the information of 100 000+ user/order, which is hard to blur as the company name is nearly everywhere on the dashboard

Key takeaways:

As a bug bounty hunter:

Always approach the application as normal user before trying to pentest it, just ask as much as you can for normal purposes actions ( videos/ explanations) most of the time those demos contain some juicy informationThink outside the box and don’t just spam some random payloads and praying that it would work, I've done in a simple way without the need of using any script or technical scripts.

As a company, website owner:

Ensure password policy for clients, and employes because brute forcing a password which has no policy couldn't be an easier attack path for attackers
Read Entire Article