Full account takeover through referral code.
This writeup describes a full account access using referral code i found in a third party that Shipt uses.
I started with a subdomains finding using Sublist3r and i got
ambassadors.shipt.com , i saw a normal registration page and i signed up for an account.
After signing up , it redirects you to your account immediately without logging.
At that time , i saw a referring/sharing url.
I copied the referring url and went to a new private window and i saw the signup page is appearing again, i have thought…. what happens if i added an email belonging to
I went and googled for
shipt employees emailsand got a name is
redacted , so i entered
firstname.lastname@example.org in the email field and clicked sign up !
i was expecting
an error indicating the email already exists or
a newly fresh created account but…..!
I was signed in to
email@example.com account directly without any authentication.
I retested it on another support email belonging to
@shipt.com and i got an account with big $$$$ of money that is ready to payout.
At first i didn’t know the exact reason why it happened and i went to retest the behavior, so i launched burp and got the registration request
What got my attention was
short_code parameter , i removed it and tried to access other account and it didn’t work.
So i concluded at the end that :
Share/Referring code parameter was an indicator to the web application that the account is a new one.
The application was redirecting me to the account after signing up if a share code is sent with the request even if the account was already existing in their system.
Report time line:
- August 20,2018 — Bug reported
- August 20,2018 — Bug triaged
- August 22,2018 — Bounty rewarded 700$
- August 23,2018–Report resolved