How I Takeover Microsoft Store

Hi,Guys
Today. I will proudly share to you, how I was successfully takeover microsoft store page, i have been learning from diffrent security researchers write-up in the bug bounty field, so i decided to share my few findings with you as it might help others who started in the Bug Bounty journey.
The bug i wanna share with you, it was new to me hence i never came across any bug like this throughout my reading from other researchers write-up.
From low impact to store takeover, “this how i may call it”
The first tool I used to identify the vulnerable of a domain was https://github.com/aboul3la/Sublist3r
Running on my android through TERMUX
I am recommending you to have it on your smartphone you can download it here https://play.google.com/store/apps/details?id=com.termux
Let’s the game started:
I was not a full time bug hunter, so i usually start looking a bug when i have time so this time, i started my recon on flipgrid.com.

What is flipgrid?

Flipgrid is the leading video discussion platform used by millions of PreK to PhD students, educators, and families around the world.
You can check it out that it was manage by microsoft
https://educationblog.microsoft.com/2018/06/flipgrid-microsoft-education/
I start up my termux I did a simply recon using Sublist3r and found a subdomain


Store.flipgrid.com after visiting it, i got a redirect to flipgrid.bigcartel.com
Whith an erro like this.


Which means that i can takeover the store page

The question is what is bigcartel?

Bigcartel is a unique online store, where you can sell your work, and run a creative business. Perfect for clothing designers, bands, jewelry makers, crafters, and other artists. Just like Shopify

I quckly sign up

Open a store with flipgrid.bigcartel.com
Now when ever a user visit store.flipgrid.com he got redirected to my claimed store page


You know Noobs ain’t like duplicate
I quickly write the report to microsoft got a replay within 3Hrs of my report


Do you wanna know what i get from microsoft? HOF


Once again i was happy for that because i learn new things.
I hope Ed will add it on his repo because it was a new thing
https://github.com/EdOverflow/can-i-take-over-xyz/blob/master/README.md

Lesson learn:

Finding bugs on your target its base on how you think you can make it: don’t say “ i can’t do it on my smartphone” because it suck’s” to me: if you had Termux on your smartphone, its like you had your PC on your pocket

Most of my finding like XSS,LFI,SQL, e.t.c, i did it with my smartphone.
Thanks for reading

Comments

Post a Comment

Popular posts from this blog

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences. One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one:  Bug 1447452 , in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store. The bug: corruption of unicode characters in HTTP request path It...
Read more

Vine User’s Private information disclosure

Image
Hello  readers, This is  Prial Islam  a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Today I will write about a Critical   IDOR vulnerability that will lead to  Information Disclosure   what allowed me to get any Vine user’s sensitive information including   Ip address/phone no/email  . I reported this bug to Twitter Security team in their  Bug Bounty Program in Hackerone  and they Rewarded me with a amount of  7560$ for  this report  . $$$$ + Blog post permission 😾 😇 Vine has issued a statement regarding this vulnerability on their  Vine blog Post here  and also Hackerone mentioned this vulnerability in hackerone  Zerodaily Newslatter  . Vulnerable Endpoint  :- https://vine.co/api/users/profiles/<User Id> When I was testing vine domains for something interesting . I noticed the Endpoint what response wa...
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_...
Read more