Companies love bragging about how many users they have.
You’re definitely a user of a company that does this.
I know I am. And it makes me trust them less…
Why? Because I’ve seen it go wrong too many times first-hand.
Here's how I was able to steal the information of millions of people.
This company bragged about having over 1.5 million users for their mobile app.
Their mobile app allowed users to sign-up and control their products.
Sounded like an interesting target!
But, I didn’t want to target it.
Remember? I like hacking web applications 😅
So, I went after their web assets.
After subdomain enumeration and probing for webservers, I came across the following host:
https://installersupport.app.██████.com/
For content discovery, I started by looking for known paths on the host using gau.
getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan.
So I ran it against the domain:
$ gau installersupport.app.██████.com
---- results ----gau responded with pages of results.
While scrolling through them, one caught my eye:
https://installersupport.app.██████.com/admin/admin_login.asp
Admin is a trigger word for me.
It should be a trigger word for you too (come on, admin stuff is always juicy!)
So, I visited the URL.
It asked for a username and password.
I tried entering default credentials like
admin:adminadmin:passwordadmin:password123test:test
Nothing worked.
So, I tried brute-forcing for ‘.asp’ files.
Maybe I’d find one that didn’t check authentication correctly!
$ ffuf -u https://installersupport.app.██████.com/admin/FUZZ -w asp.txt -mc all -fw <number-of-words-in-404-page>The results looked promising!
userinfo.asp
searchresult.aspI visited the first one: https://installersupport.app.██████.com/admin/userinfo.asp
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
-- snip ---
<iframe width="610px" height="1200px" id="Iframe1" src="/crd/installersupport/NewEditUserInfo.aspx" frameborder="0" style="overflow:hidden;" scrolling="no">
</iframe>Ooh, looked juicy!
However, the page it iframe’d to responded with “500 Internal Server Error”.
That’s odd – I wonder why!
I visited the other file I found: https://installersupport.app.██████.com/admin/searchresult.asp
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
-- snip ---
<iframe width="610px" height="1200px" id="frameUserInfo" src="/crd/installersupport/NewEditUserInfo.aspx?action=editaccountinfo&UserId=" frameborder="0" style="overflow:hidden;" scrolling="no">
</iframe>This responded similarly.
But wait. Look closer!
What do you see? Extra parameters!
https://installersupport.app.██████.com/crd/installersupport/NewEditUserInfo.aspx?action=editaccountinfo&UserId=
The title of this page was “User Info”.
But there was an error:
“User Name is missing”
Well, what is UserID expecting?
Maybe a numeric user ID?
So I threw the request into Burp Intruder and started brute-forcing the UserId parameter.
It found a valid ID: 2000953!
So I visited: https://installersupport.app.██████.com/crd/installersupport/NewEditUserInfo.aspx?action=editaccountinfo&UserId=2000953
And it returned the users:
Name
Address
Phone number
Email
Job Title.
Not. Good.
Then I remembered the mobile app.
I had signed up with an email address. I hadn’t seen a numeric ID in the app (or in any previous shenanigans).
While this web application seemed completely unrelated, I thought I should try specifying my email in the UserId parameter!
But that wouldn’t work, right?
https://installersupport.app.██████.com/crd/installersupport/NewEditUserInfo.aspx?action=editaccountinfo&UserId=corben@sxcurity.pro
It. Worked.
To verify, I went to the mobile app and created another account.
I tried again with that email and it worked again!
Wow.
An attacker could easily brute-force user ids (ex: 0-999999999999) or spray email addresses.
I reported it to their HackerOne program and eventually got a bounty!
Hope you learned from this story!
If you enjoyed it, make sure to follow me on Twitter or buy me a coffee (to fuel my writing for the next one).
See you around,
Corben Leo