Hi Fellow Hunters, hope you are doing well and taking care of your health in this pandemic situation, my name is V3D (Ved Parkash). I want to write a quick write-up on my recent finding which is a BROKEN ACCESS CONTROL LEADS TO CHANGE OF ADMIN DETAILS.

Without any Further ado.. Let’s Start.

Using Google Dorks, i started searching for private programs.

Here are some dorks for searching Private Bug Bounty Programs.

“powered by bugcrowd”

“powered by hackerone” “submit vulnerability report”

Then i came across a program REDACTED.COM which i immediately started looking for bugs.

As usual I started with subdomain discovery and i got nearly 30 subdomains and after probing with httpx i got 20 alive subdomains. I started checking for functionalities that each subdomain has, there are only 2–3 subdomains with some functionality. I started checking bugs in Password Reset Functionality, Email Verification Functionality and checking for flaws in input sanitization. I am unable to find any bugs in these functionalities.

I recently read a write-up by @sunilyedla.

You can check it out here ->

In this write-up, sunilyedla bhai came across a target in which users can invite other users in various different roles. I thought to check that functionality in my target since it also contains the same functionality where an admin can invite a user

I created two accounts an admin account and a user account to test the functionality. There is a section where a user can view the details of his account and the admin who invited him.

A user can

→ Invite other user

An admin can

→ Invite other user

→ Remove any user

Here user can edit his details but he can only view admin details and cannot edit them.

Overview of User Account

Here i thought Let’s check if there is a flaw in Update Functionality. So i tried to update user details and to my surprise i can see the admin details are also being passed in the request. You know what to do know, Yeah you are right i changed the details of admin and to my surprise there is no back-end check and i successfully able to edit the details of admin.

To confirm the Vulnerability I opened the admin account in another browser to see whether the details are updated or not.

And they were successfully changed, i can edit the first name, last name and mobile number of admin. I quickly reported the issue and the team triaged it immediately but the severity is set to P4 by the team, I explained about the severity clearly to team and they bump it to P2.

Tip: Never Forget To Check Functionality, there is a huge scope for finding bugs in Functionalities

Special Thanks to my dear brother’s: Aditya Shende, Sunil Yedla, Harsh Bothra, Manas Harsh, Aditya Sharma, Shubham Bhamare, 0xdln, The XSS Rat

Hope you learned something new. If you liked the write-up give it a clap and follow on twitter V3D

||Bug Hunter||Cyber Security Researcher||