What’s Up Hackernoon Community, It’s Sayaan Alam and I’m not perfect in doing write-ups, Please Ignore Mistakes... Let’s Move to the bug..... What was the bug There was an IDOR Causing to account takeover. The main problem was with the integration of Google Sign-In service the webserver was just verifying the mail id of the user instead of verifying both access token and email so I replaced the “email” value with the mail id to victim’s email id and got the access. About the Vulnerability IDOR - It occurs when an application refers to some other internal objects via different parameters in an insecure manner. When a user-supplied input is being processed by the server without being validated. This vulnerability mostly presents with the of APIs. Let’s Start It was May - 2019, My Favourite time in bug bounty because I had found more than 20+ bugs in 20+ different companies... Even I had made to Google HOF this Month... So, I was searching for bugs and get tired so started surfing my Instagram... an advertisement for spoyl comes in with the idea of testing spoyl... These days I was a big fan of testing Sign In with Google Option, I Moved Ahead and Tested Out..... When Returning From Google I Found a request made to spoyl web server for access... I was Like Hurrayyy!!! When I Found This... So I manipulated it with a random email-id spoyl@gmail.com... and Guess... What was the result, I got Successfully Logged In To the User’s Account... Main Story Begins It was party time for me, But Not So early...Now I searched For Their CEOs Email address and hopefully found it on rocket reach... I had opened their CEO's account and got his mobile no... It was interesting, getting the personal phone no of CEOs will make it easy to report the bug... I moved ahead and reported the bug to him, He instantly called me and asked about the bug... I was thinking that he’s a responsible person... But Wait!!! Nothing like that... I checked the issue next day, It was still there, I was Like - Whaaat!!! It was an account takeover or an XSS, why these guys are not taking it seriously... I left it, checked again after a week... Hmmm, It was Still there, I contacted CEO again..... and He Blocked Me... I was very confused at that time and left them... Now in September I had again checked it and guess what the bug was still there, Now I got very angry at that time. Because the website is leaving data of millions at risk and many Indian celebrities having their accounts on spoyl..... Really I was not expecting this from a Silicon Valley returnee.... ( Yesss, He had worked at Silicon Valley )... Now I thought to contact Some Journalists To highlight this issue... I had Contacted Many Journalists but got help Mrs. Rachna Khaira From Huffington Post. She called me and asked about everything related to the bug. She was surprised when I told her that Many Indian Celebs... Having their account on spoyl and I can access their Phone No, Address Details..... She asked me for proof so I sent her proof of an Indian Celebrity’s account... She verified the issue and contacted the spoyl CEO, and Confirmed this issue...They fixed it Next Day…(POWER OF MEDIA) My Motive Behind This Security Should Be the first priority for every Company…. But there are like 70% Companies Not Serious about cybersecurity…. This is the most important part of your company. Many companies didn’t respect security researchers who help them to improve their security even many companies threaten them that they’ll file a lawsuit. Just imagine if a black hat hacker got the same bug instead of a white hat hacker what he could have done with you. We want to have safe and secure cyberspace. What Should Be Changed Every Company should launch its bug bounty programs of responsible disclosure policy. You should respect every hacker who reports bugs to you instead of exploiting it. The mindset of a startup should be like that you should launch your bug bounty program with the launch of your company or you should perform vulnerability assessment regularly and before the launch of any service. This is important for start-ups because If your reputation goes down at your starting level then it’ll be very tough for you to get it back. POC VIDEO Don’t Forget to Read this news Article: https://www.huffingtonpost.in/entry/spoyl-website-bug-found-by-14-year_in_5dc1641ae4b0615b8a99830c Best of luck for all of your future things. If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open. Twitter Special thanks to Sai Krishna Kothapalli For Proofreading Until Next Time! If you like my blog posts and my work, please consider checking out my “Buy me a coffee” pagehttps://www.buymeacoffee.com/jgUFSPu What’s Up Hackernoon Community, It’s Sayaan Alam and I’m not perfect in doing write-ups, Please Ignore Mistakes... Let’s Move to the bug..... What was the bug There was an IDOR Causing to account takeover. The main problem was with the integration of Google Sign-In service the webserver was just verifying the mail id of the user instead of verifying both access token and email so I replaced the “email” value with the mail id to victim’s email id and got the access. About the Vulnerability IDOR - It occurs when an application refers to some other internal objects via different parameters in an insecure manner. When a user-supplied input is being processed by the server without being validated. This vulnerability mostly presents with the of APIs. Let’s Start It was May - 2019, My Favourite time in bug bounty because I had found more than 20+ bugs in 20+ different companies... Even I had made to Google HOF this Month... So, I was searching for bugs and get tired so started surfing my Instagram... an advertisement for spoyl comes in with the idea of testing spoyl... These days I was a big fan of testing Sign In with Google Option, I Moved Ahead and Tested Out..... When Returning From Google I Found a request made to spoyl web server for access... I was Like Hurrayyy!!! When I Found This... So I manipulated it with a random email-id spoyl@gmail.com... and Guess... What was the result, I got Successfully Logged In To the User’s Account... Main Story Begins It was party time for me, But Not So early... Now I searched For Their CEOs Email address and hopefully found it on rocket reach... I had opened their CEO's account and got his mobile no... It was interesting, getting the personal phone no of CEOs will make it easy to report the bug... I moved ahead and reported the bug to him, He instantly called me and asked about the bug... I was thinking that he’s a responsible person... But Wait!!! Nothing like that... I checked the issue next day, It was still there, I was Like - Whaaat!!! It was an account takeover or an XSS, why these guys are not taking it seriously... I left it, checked again after a week... Hmmm, It was Still there, I contacted CEO again..... and He Blocked Me... I was very confused at that time and left them... Now in September I had again checked it and guess what the bug was still there, Now I got very angry at that time. Because the website is leaving data of millions at risk and many Indian celebrities having their accounts on spoyl..... Really I was not expecting this from a Silicon Valley returnee.... ( Yesss, He had worked at Silicon Valley )... Now I thought to contact Some Journalists To highlight this issue... I had Contacted Many Journalists but got help Mrs. Rachna Khaira From Huffington Post. She called me and asked about everything related to the bug. She was surprised when I told her that Many Indian Celebs... Having their account on spoyl and I can access their Phone No, Address Details..... She asked me for proof so I sent her proof of an Indian Celebrity’s account... She verified the issue and contacted the spoyl CEO, and Confirmed this issue...They fixed it Next Day…(POWER OF MEDIA) My Motive Behind This Security Should Be the first priority for every Company…. But there are like 70% Companies Not Serious about cybersecurity…. This is the most important part of your company. Many companies didn’t respect security researchers who help them to improve their security even many companies threaten them that they’ll file a lawsuit. Just imagine if a black hat hacker got the same bug instead of a white hat hacker what he could have done with you. We want to have safe and secure cyberspace. What Should Be Changed Every Company should launch its bug bounty programs of responsible disclosure policy. You should respect every hacker who reports bugs to you instead of exploiting it. The mindset of a startup should be like that you should launch your bug bounty program with the launch of your company or you should perform vulnerability assessment regularly and before the launch of any service. This is important for start-ups because If your reputation goes down at your starting level then it’ll be very tough for you to get it back. POC VIDEO Don’t Forget to Read this news Article: https://www.huffingtonpost.in/entry/spoyl-website-bug-found-by-14-year_in_5dc1641ae4b0615b8a99830c https://www.huffingtonpost.in/entry/spoyl-website-bug-found-by-14-year_in_5dc1641ae4b0615b8a99830c Best of luck for all of your future things. If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open. Twitter Twitter Special thanks to Sai Krishna Kothapalli For Proofreading Sai Krishna Kothapalli Until Next Time! Until Next Time! If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page https://www.buymeacoffee.com/jgUFSPu If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page https://www.buymeacoffee.com/jgUFSPu https://www.buymeacoffee.com/jgUFSPu

Google

Instagram

Instantly

Story Behind Spoyl Data Leak

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Asterisk's Unnoticed Bug: The Double Quote Bug

Casing Can Break Netlify Functions: Here's How

Common Mistakes in Bug Reports and How to Fix Them

Getting Regex Boundaries Right: A How-To Guide

Go vs Rust: A Sto-array of Arrays

How to Create a Bug Report Form in GitHub

Asterisk's Unnoticed Bug: The Double Quote Bug

Casing Can Break Netlify Functions: Here's How

Common Mistakes in Bug Reports and How to Fix Them

Getting Regex Boundaries Right: A How-To Guide

Go vs Rust: A Sto-array of Arrays

How to Create a Bug Report Form in GitHub

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps