Using Platform Profiles to send Fake in Information: A Security Risk Good logic bug

Salam Alaikum, everyone! I hope you’re all doing well. Today, I’m super excited to share with you an interesting logic bug I found in a private SaaS platform. This platform focuses on team management and collaboration, similar to tools . Let’s dive in and see how this bug works!

The target has a feature where users in an organization can create templates and share them publicly for others to use. So, I explored this feature to understand how it works and started catching some juicy bugs!

The templates section has a specific path, like https://example.com/template-worlds/. When I signed up, I noticed that the template world looks like a social media app. It includes features like profiles, comments, likes, saved items, and more — a great starting point, man!

During my first registration, I entered the company name , and everything worked without any issues. The registration process looked something like this:

Name ( I try to change to any other name (already exit its work)URL Profile: When you want to changed, it will automatically change the random name.

I then moved to the comment section to test the functionality. After some testing, I noticed that when a user creates a comment, the UI displays their name instead of their profile URL(name you can changed to company profile name no problem) The Profile URL, however, is something related to the backend and might serve as a unique identifier or link between the user and their actions in the application

so after anlyzing the request and undrstand how the flow of coment worked i the post request is like this

the most import thing in the request is the “commenterlink” i noticed in UI the name is showing so i can changed my name to compeny name and i can change my photo of my profile but if i send message. if user opened my profile he can know i am i big scammer 😂 because the profile of the company is unique he have a published a templates and he have a big number of follows however i start changed “commenterlink” to https:///target.com//profile/compeny-name/"

I return and see the comment is very prefect i click to my profile and now redirect me to profile of the company. boomb man lest gooooo 💥🤯

I stopped at this point and diced to report this bug as a mediuem now i have to build a POC to send so i post a comment like this : Hello! Congratulations, you’ve won $5,000! You can register on the site evil.com to claim your prize.

he say no . so i will break you okay !!! *******

I started thinking about how to break this. Hmm… it’s so easy! You just open Burp Suite, catch the request, send it to the repeater, and you can comment with any link you want without any philosophy! 😂😎

now the POC is ready i report this bug in high (in your option what the Servite of bug is high or critical )

i still waiting for response…😒💘

فعن أبي كبشة الأنماري — رضي الله عنه — أنه سمع رسول الله — صلى الله عليه وسلم — يقول: (أحدثكم حديثا فاحفظوه:

إنما الدنيا لأربعة نفر:

عبد رزقه الله مالاً وعلمًا فهو يتقي فيه ربه ويصِلُ فيه رحمه ويعلم لله فيه حقًّا، فهذا بأفضل المنازل،

وعبد رزقه الله علمًا ولم يرزقه مالاً فهو صادق النية يقول لو أن لي مالاً لعملت بعمل فلان، فهو بنيته، فأجرهما سواء،

وعبد رزقه الله مالاً ولم يرزقه علمًا فهو يخبِط في ماله بغير علم لا يتقي فيه ربه ولا يصل فيه رحمه ولا يعلم لله فيه حقا، فهذا بأخبث المنازل،

وعبد لم يرزقه الله مالاً ولا علمًا فهو يقول لو أن لي مالاً لعملت فيه بعمل فلان، فهو بنيته، فوزرهما سواء) رواه الترمذي وقال: حديث حسن صحيح.

Impact :

Impersonation of a Trusted Entity: Attackers can impersonate the official profile or other trusted identities, misleading users into thinking the comments or links are legitimate. This can damage user trust in the platform.

Phishing Attacks: The attacker can include malicious links in the comments, redirecting users to phishing websites designed to steal sensitive information like login credentials or financial data.

Brand Reputation Damage: Malicious content posted under the guise of an official profile could harm the company’s reputation if users believe the content originated from the company.

Bypassing Platform Restrictions: Normal users are not allowed to include links in comments via the UI. Exploiting this bug allows attackers to bypass these restrictions, undermining platform controls.

Potential Malware Distribution: Malicious links in comments could direct users to websites hosting malware, which could compromise their devices.

Legal and Compliance Risks: If the platform is used for distributing harmful or illegal content, it may face legal challenges or compliance issues with data protection and cybersecurity laws. ❤

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —