Social Engineering - A 50 Euro Bug

Summary :

In simple words Social Engineering is a manipulation technique that exploits human error to gain private information, access or valuables.

Description :

I found a simple social engineering vulnerability on YesWeHack few months ago where I was able to know the report update status of any user by just providing there report ID to the support team.

I simply asked the support team about the report status by providing them with the report ID of another account and they replied me about last updated date. However support team disclosed only this much information so it was accepted as a low risk issue by YesWeHack and they awarded me with a bounty of 50 euros.

I was reading the similar report of HackerOne (https://hackerone.com/reports/356566) where a person asked about the report status of another person to the support team and he was provided with the information so I tried this technique on YesWeHack.

How I found this vulnerability ?

  1. I dropped a mail from my gmail account to YesWeHack support team asking them about the report update by providing report ID of another account
Update Email - YesWeHack Support

2. They replied me with a last updated report date (May 11th)

Replied - YesWeHack Support

3. I reported the issue and it was accepted and rewarded

Accepted
Rewarded

Why it happened ?

In my opinion,

  1. It happened because the support team didn’t verify that the report ID provided by the person belongs to him/her or not. In major scenarios support team does not verify this thing and gives an update to the person who provides the report ID.
  2. The provided report ID was guessable because it had a similar format like #YWH-PGM0000-00, so all the reports will be having #YWH-PGM followed by a numeric value.
Attacker to Support Flow

Impact :

An attacker can gain sensitive information related to person’s report by simply providing the report ID to the support team.

Calculated CVSS :

Vector String - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Score - 3.4 (Low)

Mitigation :

  1. Support members should not disclose any information about the report ID of different users without proper verification.
  2. Report IDs should not be guessable

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|