Applause – uTest – Hacked Admin Panel – AUTHORIZATION ATTACK (OWASP TOP 10)

Steps that I performed to find this AUTHORIZATION Vulnerability in Applause / uTest

#1 Login to my tester account using my credentials

#2 Go to “Change Password” feature

#3 Enter my new password credentials

(Before I submit the form, I open Network tab from Developer Tools in Mozilla Firefox)

#4 I submitted the “Change Password” form

#5 I see PUT request for accountinfo page (This is to change password).

(I clicked on “Edit and Resend” for “accountinfo” request in order to make the edits in the request body )

#6 I see a user id of mine and I replace the ID and email with Peter Shih (I knew his email address because its available to utest tester. But, how did I find his user ID? Well, recently uTest released social networking feature on uTest where you can visit any testers or staff profile. It was interesting to see the profile picture tag having user id. This was for every user of uTest platform. I did a right-click on Peter Shih’s profile picture and clicked on “Inspect Element” to find out the user id in the HTML tag).

#7 I submitted the new request and I saw that request was successful.

#8 Later, I went to login form and entered Peter Shih’s email address and the password that I had set for Peter Shih. In the video, you see that I was successful in logging in to Peter Shih’s account which had admin role.

HIGHLIGHTS / RISKS

#1 The admin ids should always have email address which is not shared with any user (Its good to have a secret email account for admin logging in. Do not use the email id which is known by many people on the web and also don’t use the known email to create admin account).

#2 Never put your user ids in client-side code or request body. Sensitive data has to be encrypted very well and hard to decode using online decoders.

#3 As I could replace the id and change password for anyone on the utest platform, I could write automation script in order to change password for all the users by using the ids fetched through profile picture HTML tag of all users. In short, I could block all users on utest platform and stop the utest services for long time by always scheduling a script to keep changing their password on every 30 minutes. But, I did not do that because I love helping the global businesses to protect their users data and also bring security awareness in business people.

I am the #CleanWebMovement

Email transcript (The email that I sent to Applause team)

Santhosh said,

Hey Peter & Bryan,

Yes brother, its been long time. I may fly to New York sometime in May to speak at a security conference (May we we can catch-up for a beer and testing talks).

===============

Here are the quick details, I need to run to have some beer! 😉

I have attached a video (GIF format). If your engineering team needs more information even after looking into the video attachment, then let me know 🙂 I will be here to help you with the more details.

@Peter, Please change your password now. I used your ID to analyze the risk and I do not wanted to use some users ID because that may cause problem to your users. Its a critical vulnerability, I could login to your profile and from there I will be able to perform all the admin actions. Its in the video, you can see it.

I insist that this needs to be taken as high priority for the fix. You never know, black-hats may be looking for such things always!

Thanks for the e-mail, it was great to hear from you after a long time 🙂

Take care!

— Santhosh Tuppad
Testing is Exploratory!
Peter replied,

Thanks for sending this over. Definitely let me know the days you ate planning to speak and I’ll do my best to make it! I met your colleagues last year and it would be great to finally meet you.

@Bryan – feel free to get in contact with Santhosh directly. He’s an awesome tester.

I also re-tested the vulnerability and found that it was fixed. It was great working with Applause / uTest team where I could help them fixing this security vulnerability.