.png)
20 hours ago
9 BOOK THIS SPACE FOR AD
ARTICLE AD
Heyyyy Hackers!!!! It’s been a long!
After a long time I am back to bug bounty! But What? What to test??
I had lost my touch!
So, That’s it lets make our hands dirty first. Lets retest.
Yes, so i decided to retest one of my old client’s application
Now lets jump into the point:
What is vulnerability: Yes, I can change everyone’s profile picture. Yessss!!! Super power!!!!
How I do that?:
Lets Start:
As it is one of my confidential client, This time no Screenshots.
The vulnerability is simple as that:
Every user has a user id like 152845681. So I just upload a new profile picture for me then I captured that request in a web intercptor.
From there I changed my I username to another person’s userid.
That’s it BOOOM!!!
Instead of my profile picture, Another persons profile is updated with my profile picture.
Now the real magic begins!!
Now I put that into a Intruder and send the same request to the server many times by cimply changing the user id .
In this way all user’s profile picture can be changed to anything!!!!
Reported this vulnerability immediatly and got monetary rewarded as per the agreement.
Don’t forget to follow me on Medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!
I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
Bengali (Bangladesh) · 
English (United States) ·