Welcome, this is my first write-up of my Bug Bounty Journey that explain how I earn $3000 reward from Yahoo, hope you enjoy.
I have started my Bug Bounty Journey after finishing my OSCP lab session in June, I started to check on yahoo.com.hk first, it didn’t went well for a month, but after I read the book “The Web Application Hackers Handbook”, I suddenly realize there might be a multistage logic flaw during Yahoo Deals checkout process, so I decided to take a look and fuzz around and see what things could go wrong in the process. And I finally come up with a bug that allows me to buy arbitrary items with arbitrary price on https://hk.deals.yahoo.com, https://hk.shop.yahoo.com and https://hk.auctions.yahoo.com
Let start digging
Yahoo! Deals, Shop, Auctions, are quite prmoinent service in Hong Kong, they provide a platform that allows user to trade items with Yahoo Payment system. I started to buy an item at hk.shop.yahoo.com, I followed along the process and monitor the traffic by Burp Suite.
When I checked on the checkout traffic, here is things start interesting. Here is the request made when I pressed “Check Out Now”
If we look closely, you can see the orderInfo has something important, paymentAmount is sent in plain text, in this case, it is 450 HKD. I found this interesting and decided to manipulate this amount through out the process. Fortunately, Yahoo system keeps validating the paymentAmount, when I change the paymentAmount to other values, it would return this page.
I keep experimenting and could not find a way to bypass its validation on price, until I finally reached the part where I would redirect to a third party payment system to finish my credit card payment. Due to its sensitive nature, I am not going to include the name of third party payment system here.
Here is the Burp Interception of the redirection
As we look closely to the Referrer and POST parameter “amount”, we can see the amount is once again transmitted in plain text, so I intuitively manipulate the amount to “5” in both places, and the result is a surprise.
From this point onward, everything went smooth, I entered my credit card info, pass the mobile phone SMS authentication, and after finishing, I was presented with this page.
I have a final check on my credit card statement, the payment amount was indeed 5 HKD.
I believe the consequences of this bug is self-explanatory, I am going to pass on explaining how would this affect Yahoo. This kind of vulnerability is a classic case of lacking validation on client supplied data. And this could lead to disastrous result like bypassing login mechanism, transferring money to an unauthenticated account, and in this case, purchasing items with client supplied price.
Thank you very much for reading my first bug bounty write-up, I hope you enjoyed it.
If you are one of the bug bounty hunter and live in Hong Kong, please let me know and contact me asap, cause I am desparately to find a local friend that could share ideas in Hunting Bugs.
Feel free to leave your thoughts below, and there will be a few more write-ups coming in next few weeks.
Jul 15th 2016: Reported to Yahoo
Jul 15th 2016: Receive Responsefrom junot that asked to confirm credit card was indeed charged for HKD 5
Jul 16th 2016: Provide credit card statement to Yahoo
Jul 20th 2016: Receive Response from junot that they have fixed the bug and ask to confirm it has been fixed
Jul 27th 2016: Receive response from junot about receiving Bug Bounty award $3000USD