Vine User’s Private information disclosure

Hello readers,
This is Prial Islam a security researcher from Bangladesh . This is a old finding of mine adding into my blog .
Today I will write about a Critical IDORvulnerability that will lead to Information Disclosure what allowed me to get any Vine user’s sensitive information including Ip address/phone no/email .
I reported this bug to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 7560$for this report .

$$$$ + Blog post permission 😾 😇

Vine has issued a statement regarding this vulnerability on their Vine blog Post here and also Hackerone mentioned this vulnerability in hackerone Zerodaily Newslatter .
  • Vulnerable Endpoint :- https://vine.co/api/users/profiles/<User Id>
When I was testing vine domains for something interesting . I noticed the Endpoint what response was giving my account all information . I thought this is normal as many site have this type of endpoint what shows logined users information . So again I thought let’s try to exploit this with CORS if it is miss-configured . But CORS Policy was in place . Then I changed the user-id value to a random number and I got shocked that someone else user information was in front of me . By changing the user-id value I was able to get any vine user all information .

Reproduce :

  • Choose any user to get his all information and collect his User-ID
  • Now place the User-ID in below endpoint and visit it . You will get Response in body .
https://vine.co/api/users/profiles/<User Id>
Response :
{“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “https://vine.co/████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “http://v.cdn.vine.co/r/avatars/████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}
Take a closer look in response and you will get a lot of private info about the user [ all information was removed by twitter security as those belongs to other users ]. Some of them are :
“platforms”: [“android”, “ios”]
 “flaggedCount”: 7579
 “twitterId”: “█████████”
 “phoneNumber”: “█████”
 “location”: “Los Angeles California”
 “modified”: “2017–01–29T01:24:00.000000”
 “notificationsLastViewed”: “2016–04–26T21:03:35.000000”
 “email”: “█████████”
 “created”: “2013–04–13T19:30:31.000000”
 “lastLogin”: “2016–12–13T23:29:40.000000”
 “ipAddress”: “█████”
Here Even ipAddress/email/phone no are being disclosed . So attacker can use these info and do malicious attacks on any vine user . And Attacker can dump all user information .
This will also effect twitter users as vine users can use their twitter account access to login vine services . I have got the same vulnerability on another bug bounty program Edmodo’s website .
Thanks for reading . Happy Hunting .

Comments

Post a Comment

Popular posts from this blog

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences. One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one:  Bug 1447452 , in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store. The bug: corruption of unicode characters in HTTP request path It...
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_...
Read more