Abusing Multistage Logic Flaw to Buy Anything for Free at hk.deals.yahoo.com

Welcome, this is my first write-up of my Bug Bounty Journey that explain how I earn $3000 reward from Yahoo, hope you enjoy.

Introduction

I have started my Bug Bounty Journey after finishing my OSCP lab session in June, I started to check on yahoo.com.hk first, it didn’t went well for a month, but after I read the book “The Web Application Hackers Handbook”, I suddenly realize there might be a multistage logic flaw during Yahoo Deals checkout process, so I decided to take a look and fuzz around and see what things could go wrong in the process. And I finally come up with a bug that allows me to buy arbitrary items with arbitrary price on https://hk.deals.yahoo.comhttps://hk.shop.yahoo.com and https://hk.auctions.yahoo.com

Let start digging

Yahoo! Deals, Shop, Auctions, are quite prmoinent service in Hong Kong, they provide a platform that allows user to trade items with Yahoo Payment system. I started to buy an item at hk.shop.yahoo.com, I followed along the process and monitor the traffic by Burp Suite.

Buying Page in Yahoo
Buying Page in Yahoo
Entering Delivery Content in Yahoo
Entering Delivery Content in Yahoo

When I checked on the checkout traffic, here is things start interesting. Here is the request made when I pressed “Check Out Now”

Checkout in Cart Burp Interception
Checkout in Cart Burp Interception

If we look closely, you can see the orderInfo has something important, paymentAmount is sent in plain text, in this case, it is 450 HKD. I found this interesting and decided to manipulate this amount through out the process. Fortunately, Yahoo system keeps validating the paymentAmount, when I change the paymentAmount to other values, it would return this page.

Checkout Error when trying to manipulate the paymentAmount
Checkout Error when trying to manipulate the paymentAmount

I keep experimenting and could not find a way to bypass its validation on price, until I finally reached the part where I would redirect to a third party payment system to finish my credit card payment. Due to its sensitive nature, I am not going to include the name of third party payment system here.

Here is the Burp Interception of the redirection

Details of Redirection of Third Party Payment Checkout Process
Details of Redirection of Third Party Payment Checkout Process

As we look closely to the Referrer and  POST parameter “amount”, we can see the amount is once again transmitted in plain text, so I intuitively manipulate the amount to “5” in both places, and the result is a surprise.

A Payment Page that is stating to accept HKD 5
A Payment Page that is stating to accept HKD 5

From this point onward, everything went smooth, I entered my credit card info, pass the mobile phone SMS authentication, and after finishing, I was presented with this page.

Successful Checkout Page in Yahoo
Successful Checkout Page in Yahoo

I have a final check on my credit card statement, the payment amount was indeed 5 HKD.

The End

I believe the consequences of this bug is self-explanatory, I am going to pass on explaining how would this affect Yahoo. This kind of vulnerability is a classic case of lacking validation on client supplied data. And this could lead to disastrous result like bypassing login mechanism, transferring money to an unauthenticated account, and in this case, purchasing items with client supplied price.

Thank you very much for reading my first bug bounty write-up, I hope you enjoyed it.

If you are one of the bug bounty hunter and live in Hong Kong, please let me know and contact me asap, cause I am desparately to find a local friend that could share ideas in Hunting Bugs.

Feel free to leave your thoughts below, and there will be a few more write-ups coming in next few weeks.

Timeline:

Jul 15th 2016: Reported to Yahoo

Jul 15th 2016: Receive Responsefrom junot that asked to confirm credit card was indeed charged for HKD 5

Jul 16th 2016: Provide credit card statement to Yahoo

Jul 20th 2016: Receive Response from junot that they have fixed the bug and ask to confirm it has been fixed

Jul 27th 2016: Receive response from junot about receiving Bug Bounty award $3000USD

2 thoughts on “Abusing Multistage Logic Flaw to Buy Anything for Free at hk.deals.yahoo.com”

  1. Nice hunting. I hope to read new write ups. I am a newbie in bug hunting and your detailed description about your finding was amazing (Since other hunters don’t share their bug hunted in YaHoO).

    Thanks a lot and gongrats.

Leave a Reply

Your email address will not be published. Required fields are marked *