Full account takeover through referral code.

Hey all,

This writeup describes a full account access using referral code i found in a third party that Shipt uses.

I started with a subdomains finding using Sublist3r and i got ambassadors.shipt.com , i saw a normal registration page and i signed up for an account.

After signing up , it redirects you to your account immediately without logging.

At that time , i saw a referring/sharing url.

I copied the referring url and went to a new private window and i saw the signup page is appearing again, i have thought…. what happens if i added an email belonging to @shipt.com ?

I went and googled for shipt employees emailsand got a name is redacted , so i entered redcated@shipt.com in the email field and clicked sign up !

i was expecting an error indicating the email already exists or a newly fresh created account but…..!

Boom !

I was signed in to redacted@shipt.com account directly without any authentication.

I retested it on another support email belonging to @shipt.com and i got an account with big $$$$ of money that is ready to payout.

At first i didn’t know the exact reason why it happened and i went to retest the behavior, so i launched burp and got the registration request

What got my attention was short_code parameter , i removed it and tried to access other account and it didn’t work.

So i concluded at the end that :

Share/Referring code parameter was an indicator to the web application that the account is a new one.

The application was redirecting me to the account after signing up if a share code is sent with the request even if the account was already existing in their system.

Report time line:

  • August 20,2018 — Bug reported
  • August 20,2018 — Bug triaged
  • August 22,2018 — Bounty rewarded 700$
  • August 23,2018–Report resolved