New features means new bugs

Sometimes new features designed to generate revenue for a company can be rushed and sometimes not enough thought has gone into how to securely implement this new feature into the main web app. What does that usually mean? Bugs! The bigger the company the more products planned on the road map. The bigger the work load the more mistakes that are made.

How a new feature enabled me to bypass ID verification, very easily..

This is an interesting bug I found on a program which enabled me to bypass certain identification processes thanks to new features. The website in question required users to verify their ID in order to claim ownership of the company's page & honestly the process was pretty simple and straight forward. There wasn’t much to it and from my first tests it seemed pretty secure. There was nothing interesting when uploading my ID and I simply couldn’t find a way to achieve admin rights of a company. I moved on from testing on this feature for a long period of time.

~Enter a new feature~

A new feature was introduced which let page owners publish ads. Let’s get to play.

Straight away I noticed one major problem and that was the fact anyone could purchase ads for any company. It didn’t require me to be a member of this company first, I could simply select any company I wish from a drop down box. However things went from bad to worse very quickly. Upon purchasing ads for my chosen company I was then granted ownership of the company. Wait, really? What?! Could this get worse?

Oh yes.. it can. The second major problem was Sandbox CC details worked when purchasing ads. (4111 1111 1111 1111). This means an attacker could choose any company’s page he wishes, purchase ads using a sandbox CC number, and suddenly they had admin rights, at zero cost. Easy right? After obtaining admin rights I had access to do… well, everything. Edit or remove the page, remove other admins, browse their information etc.

Sean, am I reading that right? That simple?

Yup! A new feature designed to generate revenue for the company undermined their entire identification process and allowed me to claim ownership of any page from purchasing ads using a sandbox CC. (The ads still ran as well lol!).

If the sandbox CC test had failed I would of still continued with a real CC just to see what would happen, because if you don’t try, how will you ever know? (as long as the cost is low!). The fact it allowed me to begin the process for buying ads for a company without even proving my ID is what sparked my curiosity.

Devs.. don’t rush things! Think it through when implementing new features.

And hackers… always be on the look out for new features. Be sure to follow them on twitter, browse news on them weekly, keep up to date with what they are planning on releasing. Also don’t be afraid to spend some $$ when testing features on websites, just don’t spend LOADS. Also I recommend a separate card used just for BB transactions.

~ zseano

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store