Before the end of this year, Two well-known people was hacked. Mark Zuckerberg (CEO) of and Sundar Pichai (CEO) of Google and I was thinking what if it’s time for me to hack . But, I know that isn’t easy. Facebook Barack Obama So, I decided to use my big brain to think my way out!Looking for a new angle… Then, I found the “Request Story” button hiding in the ‘ellipsis’ or ‘more’ icon. But, there’s a problem. They, need to approve my request to add their story into my publication and that’s absolutely impossible. But apparently, I can add my own story into my publication without further ado. First step of adding a story to publication. Second and Last step is to choose a publication where you want to add the story. My goal here is to add any story of another user into my publication without their consent and I did that using the “Add story to publication” button. While I’m adding my own story to my publication, I intercepted the HTTP Request to modify the story ID. My Story ID: 2a4b6810c12dStory ID of the target: 1a3b579c101a The HTTP Request: PUT /testphzxc/ HTTP/1.1Host: medium.comConnection: keep-aliveContent-Length: 25Accept: application/jsonOrigin: X-XSRF-Token: {Redacted}X-Obvious-CID: webUser-Agent: {Redacted}Content-Type: application/jsonReferer: {Redacted}Accept-Encoding: gzip, deflate, sdch, brAccept-Language: en-US,en;q=0.8,nb;q=0.6Cookie: {Redacted} 2a4b6810c12d https://medium.com {“postStatus”:”APPROVED”} In the line where the PUT method is located, you will see the ID of my story. And I will remove that ID and put the ID of the target’s story. Updated HTTP Request: PUT /testphzxc/ HTTP/1.1Host: medium.comConnection: keep-aliveContent-Length: 25Accept: application/jsonOrigin: X-XSRF-Token: {Redacted}X-Obvious-CID: webUser-Agent: {Redacted}Content-Type: application/jsonReferer: {Redacted}Accept-Encoding: gzip, deflate, sdch, brAccept-Language: en-US,en;q=0.8,nb;q=0.6Cookie: {Redacted} 1a3b579c101a https://medium.com {“postStatus”:”APPROVED”} Of course, like what I’ve just mentioned above, the story will automatically added to my publication without their consent. That is because of: {“postStatus”:”APPROVED”} Then *Poof*. The Target’s story was added to my publication. Now What? Because the story was added to my publication, I am now able to edit his/her story or delete it. Well, instead of attacking Mr. Obama’s blog, I reported it to . They fixed it and rewarded me with a $250 bounty but I want more because I found multiple bugs in my report. First, Bypass the Request Story and Two, Update and Delete any story. Then, they added the previous bounty with a $100 bounty for a total of $350 bounty. Medium
