New features means new bugs

How a new feature enabled me to bypass ID verification, very easily..

This is an interesting bug I found on a program which enabled me to bypass certain identification processes thanks to new features. The website in question required users to verify their ID in order to claim ownership of the company's page & honestly the process was pretty simple and straight forward. There wasn’t much to it and from my first tests it seemed pretty secure. There was nothing interesting when uploading my ID and I simply couldn’t find a way to achieve admin rights of a company. I moved on from testing on this feature for a long period of time.

Sean, am I reading that right? That simple?

Yup! A new feature designed to generate revenue for the company undermined their entire identification process and allowed me to claim ownership of any page from purchasing ads using a sandbox CC. (The ads still ran as well lol!).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sean (zseano)

Sean (zseano)

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com