Interesting find on the Invite link

1 year ago 85
BOOK THIS SPACE FOR AD
ARTICLE AD

Hi everyone, hope everyone is doing good

Today I would like to talk about how I found an interesting bug that could create numerate accounts without the need of any subscription. So lets find out more about it.

Since it is a private program and due to its disclosure policy I cannot disclose its name. But let us call it redacted.com

The application has a unique feature that doesn’t let you register for an account indeed you need to request an account. When you request them with your details such as First name, Last name, and email ID they will send you an invitation link that looks like this

https://redacted.com/invite=eyJmaXJzdE5hbWUiOiJIYWNrdDNyIiwibGFzdE5hbWUiOiJNNHplIiwibG9naW5JZCI6ImhhY2t0M3JAbTR6ZS5jb20iLCJpbnZpdGVFbWFpbFRlbXBsYXRlIjpmYWxzZX0=

You need to open the link, and set a password for yourself and you are good to use your account.

Seems very secure right!!!

But here comes the problem. The link they sent has only one parameter called “invite” which caught my attention. So, I tried to decode the URL using base64 and to my surprise, the data I sent for registration was in the decoded string.

{"firstName":"Hackt3r","lastName":"M4ze","loginId":"hackt3r@m4ze.com","inviteEmailTemplate":false}

This doesn’t seem to be that big of an issue. Then I thought what would happen if I change the details, encode it, and use it again for another account. I have tried it and now I could create another account on behalf of some x person without having to request for another signup link.

This may not be a huge vulnerability if it were a normal application, but since the application has no registration page and works on a one-time subscription an attacker can pay for one account and create any number of accounts with the same URL. I reported the vulnerability and it was a high issue.

There are multiple ways to prevent it but I will tell you a few and it is your duty to find the other and let me and others know your ways in comments.

Using a specially crafted token instead of an Invite parametersHiding the details of the user in the invite linkMaking sure to expire the link once it is used

So, here is how I have found an interesting catch. Hope you have enjoyed this and learned something new. Check out my Instagram to learn more about Tips and Tricks for finding bugs.

Till then take care and Happy Hacking!!!

PS: I am not being very active for a few months but whenever I find free time and an interesting vulnerability I will share it with you all.

Read Entire Article