paint-brush
Story Behind Spoyl Data Leak by@sayaan-alam
298 reads

Story Behind Spoyl Data Leak

by Sayaan alamNovember 16th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

What’s Up Hackernoon Community, It’s Sayaan Alam and I’m not perfect in doing write-ups, Please Ignore Mistakes...

People Mentioned

Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Story Behind Spoyl Data Leak
Sayaan alam HackerNoon profile picture

What’s Up Hackernoon Community, It’s Sayaan Alam and I’m not perfect in doing write-ups, Please Ignore Mistakes...

Let’s Move to the bug.....

What was the bug

There was an IDOR Causing to account takeover. The main problem was with the integration of Google Sign-In service the webserver was just verifying the mail id of the user instead of verifying both access token and email so I replaced the “email” value with the mail id to victim’s email id and got the access.

About the Vulnerability

IDOR - It occurs when an application refers to some other internal objects via different parameters in an insecure manner. When a user-supplied input is being processed by the server without being validated. This vulnerability mostly presents with the of APIs.

Let’s Start

It was May - 2019, My Favourite time in bug bounty because I had found more than 20+ bugs in 20+ different companies...

Even I had made to Google HOF this Month...

So, I was searching for bugs and get tired so started surfing my Instagram... an advertisement for spoyl comes in with the idea of testing spoyl...

These days I was a big fan of testing Sign In with Google Option, I Moved Ahead and Tested Out.....

When Returning From Google I Found a request made to spoyl web server for access...

I was Like Hurrayyy!!! When I Found This...

So I manipulated it with a random email-id [email protected]...

and Guess... What was the result, I got Successfully Logged In To the User’s Account...

Main Story Begins

It was party time for me, But Not So early...
Now I searched For Their CEOs Email address and hopefully found it on rocket reach... I had opened their CEO's account and got his mobile no...

It was interesting, getting the personal phone no of CEOs will make it easy to report the bug... I moved ahead and reported the bug to him, He instantly called me and asked about the bug...

I was thinking that he’s a responsible person... But Wait!!! Nothing like that...

I checked the issue next day, It was still there, I was Like - Whaaat!!! It was an account takeover or an XSS, why these guys are not taking it seriously...

I left it, checked again after a week...

Hmmm, It was Still there, I contacted CEO again..... and He Blocked Me...

I was very confused at that time and left them... Now in September I had again checked it and guess what the bug was still there, Now I got very angry at that time.

Because the website is leaving data of millions at risk and many Indian celebrities having their accounts on spoyl.....

Really I was not expecting this from a Silicon Valley returnee.... ( Yesss, He had worked at Silicon Valley )...

Now I thought to contact Some Journalists To highlight this issue... I had Contacted Many Journalists but got help Mrs. Rachna Khaira From Huffington Post.

She called me and asked about everything related to the bug. She was surprised when I told her that Many Indian Celebs... Having their account on spoyl and I can access their Phone No, Address Details.....

She asked me for proof so I sent her proof of an Indian Celebrity’s account...

She verified the issue and contacted the spoyl CEO, and Confirmed this issue...They fixed it Next Day…(POWER OF MEDIA)

My Motive Behind This

Security Should Be the first priority for every Company….

But there are like 70% Companies Not Serious about cybersecurity….

This is the most important part of your company.

Many companies didn’t respect security researchers who help them to improve their security even many companies threaten them that they’ll file a lawsuit. Just imagine if a black hat hacker got the same bug instead of a white hat hacker what he could have done with you. We want to have safe and secure cyberspace.

What Should Be Changed

Every Company should launch its bug bounty programs of responsible disclosure policy. You should respect every hacker who reports bugs to you instead of exploiting it.

The mindset of a startup should be like that you should launch your bug bounty program with the launch of your company or you should perform vulnerability assessment regularly and before the launch of any service.

This is important for start-ups because If your reputation goes down at your starting level then it’ll be very tough for you to get it back.

POC VIDEO

Don’t Forget to Read this news Article:

https://www.huffingtonpost.in/entry/spoyl-website-bug-found-by-14-year_in_5dc1641ae4b0615b8a99830c

Best of luck for all of your future things.

If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open. Twitter

Special thanks to Sai Krishna Kothapalli For Proofreading

Until Next Time!

If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page
https://www.buymeacoffee.com/jgUFSPu