Companies love bragging about how many users they have.
You’re definitely a user of a company that does this.
I know I am. And it makes me trust them less…
Why? Because I’ve seen it go wrong too many times first-hand.
Here's how I was able to steal the information of millions of people.
This company bragged about having over 1.5 million users for their mobile app.
Their mobile app allowed users to sign-up and control their products.
Sounded like an interesting target!
But, I didn’t want to target it.
Remember? I like hacking web applications 😅
So, I went after their web assets.
After subdomain enumeration and probing for webservers, I came across the following host:
For content discovery, I started by looking for known paths on the host using gau.
getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan.
So I ran it against the domain:
$ gau installersupport.app.██████.com ---- results ----
gau responded with pages of results.
While scrolling through them, one caught my eye:
Admin is a trigger word for me.
It should be a trigger word for you too (come on, admin stuff is always juicy!)
So, I visited the URL.
It asked for a username and password.
I tried entering default credentials like
So, I tried brute-forcing for ‘.asp’ files.
Maybe I’d find one that didn’t check authentication correctly!
$ ffuf -u https://installersupport.app.██████.com/admin/FUZZ -w asp.txt -mc all -fw <number-of-words-in-404-page>
The results looked promising!
I visited the first one: https://installersupport.app.██████.com/admin/userinfo.asp
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET -- snip --- <iframe width="610px" height="1200px" id="Iframe1" src="/crd/installersupport/NewEditUserInfo.aspx" frameborder="0" style="overflow:hidden;" scrolling="no"> </iframe>
Ooh, looked juicy!
However, the page it iframe’d to responded with “500 Internal Server Error”.
That’s odd – I wonder why!
I visited the other file I found: https://installersupport.app.██████.com/admin/searchresult.asp
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET -- snip --- <iframe width="610px" height="1200px" id="frameUserInfo" src="/crd/installersupport/NewEditUserInfo.aspx?action=editaccountinfo&UserId=" frameborder="0" style="overflow:hidden;" scrolling="no"> </iframe>
This responded similarly.
But wait. Look closer!
What do you see? Extra parameters!
The title of this page was “User Info”.
But there was an error:
“User Name is missing”
Well, what is
Maybe a numeric user ID?
So I threw the request into Burp Intruder and started brute-forcing the UserId parameter.
It found a valid ID: 2000953!
So I visited:
And it returned the users:
Then I remembered the mobile app.
I had signed up with an email address. I hadn’t seen a numeric ID in the app (or in any previous shenanigans).
While this web application seemed completely unrelated, I thought I should try specifying my email in the
But that wouldn’t work, right?
To verify, I went to the mobile app and created another account.
I tried again with that email and it worked again!
An attacker could easily brute-force user ids (ex: 0-999999999999) or spray email addresses.
I reported it to their HackerOne program and eventually got a bounty!
Hope you learned from this story!
See you around,