by harshjaiswal · Published March 27, 2016 · Current April 12, 2016

Badoo Membership Takeover – Bug Bounty POC

Remember that the article is written by Harsh Jaiswalas & any blunder on paper should be captivated merely from your We allow one to write materials on our blog as a guest/contributor so different may learn.If you’re enthusiastic about discussing your searching through insect Bounty POC Platform merely join on web log and upload easily.

Thanks a lot Bharat & Behroz for this amazing system I’m newbie, soon i ll display my other 2 FB problems complete worthy of 3000$

Hey everyone out there ! These days i wanna express my personal searching of Badoo from which I am able to takeover people accounts by just providing him/her a poisionous back link

Badoo are a dating-focused social network service, started in 2006[4]and headquarters in Soho, London. The site operates in 180 region and it is best in Latin America, Spain, Italy and France. Badoo ranks due to the fact 281st hottest web site in this field, in accordance with Alexa online at the time of April 2014. The site works on a freemiummodel. To gain extra attributes, a person will pay a charge or allow Badoo to email all his or her company.

Lets begin

First of all i wanna thank my good friend Rudra which constantly encourage me personally the guy given me personally an easy connect and i got a free account takeover from this

The insect was very easy, it functions on a CSRF & A token missconfiguration. And only good for

Once we transfer photographs from Twitter or Instagram it do not have any anti-CSRF token, the Facebook token which generated via Badoo is actually good for everyuser. Now I am able to offer a web link to a user of my personal fb account to import pictures, if user will press fine then picture can be imported to their profile.

But how i got an takeover right here ?

Finished . i noticed that the hyperlink generated can replace the user FB linked levels with attacker’s FB levels and best part ended up being user should just check out hyperlink no terminate or fine pressing requisite.

Today an assailant can login via FB and completely takeover the accounts might access all his talk, private pictures and everything

The bug are patched within 2 times of intial report. Reward ($850) had been very considerably from my expectation .

Strategies to replicate ended up being :-

1 -Create two Badoo profile attacker & sufferer and hyperlink 2 diff fb membership in every one of them

2- Login as ‘attacker’ and choose transfer photo via fb and copy the hyperlink from URL bar

3- Now login as ‘victim’ in diffrent internet browser and open up the web link and click cancel.

4- FB levels of ‘victim’ is substituted for FB accounts of hookup bars Launceston ‘attacker’ (taken from ‘attacker’ one)

5-Login via attacker’s FB levels and you will be logged in as ‘victim’ account

Congo u simply hacked target account

Additional description

Guess a person have an account of assailant ‘A’ with FB connected which ‘FB-of-A’ and a target profile ‘B’ with fb linked and that is ‘FB-of-B’ now attacker write a web link to import photographs from his fb and provide it to sufferer ‘B’ he opens they and newspapers cancel but this have actually altered his FB membership ‘FB-of-B’ to attacker’s FB profile ‘FB-of-A’, now attacker can login with his fb profile in victim’s badoo account.

I’m able to talk with my personal victim on Badoo and will have actually hacked his/her account in five minutes

Insect Timeline

09 March : Reported 10 March : Bounty Rewarded 850 USD 11 March : Bug patched